Critical flaws in IE and Outlook discovered

A new set of highly critical flaws has been discovered in Microsoft's Internet Explorer and Outlook programs, according to research company eEye Digital Security.

The vulnerabilities allow for remote code execution with no actions from the computer user, eEye said. Although the flaws would not allow self-propagating worms to infiltrate a system, there is the potential of attackers installing backdoor Trojans without a person's knowledge, Ben Nagy, an eEye senior security engineer, said Friday.

"If a user is tricked (into going) to a site carrying malicious code, they can become infected by just surfing across a banner ad," Nagy said.

eEye notified Microsoft several days ago of the flaws in the default installation of Outlook and IE and is giving the software giant time to develop a patch before releasing details on which versions of the software are affected, Nagy said.

For now, only a few details are included in eEye's page of upcoming advisories.

Nagy added that eEye is also still conducting its own testing of various platforms to evaluate which ones are affected and to what degree.

No exploits are known to have been developed yet, Nagy said.

"Microsoft has acknowledged a vulnerability does exist and is real, but I doubt they will release a patch out of (their monthly) cycle," Nagy said.

Microsoft, meanwhile, said it is investigating privately reported, possible vulnerabilities in Microsoft Windows.

"At this time, Microsoft is not aware of any malicious attacks attempting to exploit the reported vulnerabilities, and there is no customer impact based on this issue," said a company spokeswoman. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through a service pack, our monthly release process or an out-of-cycle security update, depending on customer needs."

[Pixelslave]

Several "Days"

>> eEye notified Microsoft several days ago of the flaws in the default installation of Outlook and IE and is giving the software giant time to develop a patch before releasing details on which versions of the software are affected, Nagy said.

Wow! They gave MS several DAYS to create a patch.

Aren't these "security" consultants wonderful. Everyone has to pay attention to them immediately. If not, you are the bad guy.

Several days are not even enough for investigation if a company is serious in solving the problem!

Get a live, guys!

PixelSlave

[vanox]

You may have misunderstood?

You may have mis-interpretted what was said. The article stated that "eEye notified Microsoft several days ago..." and they are "giving the software giant time to develop a patch before releasing details on which versions of the software are affected"

Also stated was this quote: "Microsoft has acknowledged a vulnerability does exist and is real, but I doubt they will release a patch out of (their monthly) cycle," Nagy said.

To me it sounds like eEye did their part and notified MS and understand it will take time to develop a patch.

Just my 2 cents...

[Rusdude]

Wrong, no details are released!!!

If you go to the link (http://www.eeye.com/html/research/upcoming/20050329.html), you'll see that there're no details released about the vulnerability aside from which programs it affects. This knowledge isn't going to allow anyone to do anything bad! eEye is waiting fro MS to release the patch, all they did was to release a preliminary report that they found an error.

[Earl Benser]

What's the news????

IE and Outlook are basically defective programs, cobbled
together to beat Netscape, and in the process, became to source
of much of Windows key coding. That's innovation for you. IE
and Outlook were badly conceived, badly written, badly
integrated, and now cannot be really changed without screwing
up Windows too.

Anyhow, it's nice that MS has people looking out for their
interests. I just wish MS was looking out for its customers
interests.

Maybe that's why I am a MS cusotmer so rarely.

[Buzz_Friendly]

Why so harsh?

I stopped blaming MS a few years ago. If people don?t know that IE and Outlook are the biggest holes in their PC by now they never will. Yet people keep shoveling money to Redmond for more punishment. Given these facts where is MS incentive to change? Remeber the customer is always right.

Windows will be more secure than Linux

I agree with your analysis that Microsoft basically threw out security issues in order to beat Netscape in the brower wars.

However, times change and that was a long time ago. Now, Microsoft is dedicating huge resources to shoring up in security story. You may chose to ignore them, like Netscape did years ago, but in time Microsoft's operating system and browser will be more secure than anything else.

Two points come to mind immediately....

one is that stories like these are the result of people at security companies with a vested interest in finding security holes in IE. These companies are unwittingly helping Microsoft secure IE. The number of these vulnerabilities is certainly a static number and the more that are found, the sooner all of them will be found.

Second, unlike vitually anyone else, Microsoft is slowly but methodically converting all its programs to be CLR (Common Language Runtime) based. The CLR, like other virtual machines, provide a better security model and sandbox better suited for programs that access the Internet.

Where is there a Java based broswer?

Why is firefox not Java based?

Your comments while appropriate for the today will slowly but surely lose their relevance as Microsoft works toward a better computing model.

[Buzz_Friendly]

I'am shocked

Let me help CNET out. I think you could safely rerun on every Friday that a new flaw was found in IE and Outlook. Wheres the news in this?

[201293546946733175101343322673]

Really?

Please show me a piece of news DATED LAST FRIDAY about an IE or Outlook flaw. Otherwise you are just making things up :)

[jv]

Not possible with HIGH security setting.

If browser is set to HIGH security then NO scripts can run. The only vulnerability should be the HTML help issue which has already been patched.

I claim that any browser that runs any version of java is vulnerable. As holes are closed the attacks will concentrate on this area for all browsers.

[Bill Dautrive]

Your claim is wrong

First off, why do you think this is a Java problem?

Unless signed, a Java applet can not access anything on your computer, it can't even write to a file or read one, or access the directory structure.

As for signed applets, if you download a signed applet without scrutinizing it, then it is your fault.

Setting IE to high security is a band aid solution that cripples your web browsing abilities. It is still more flawed then Firefox set to default.

What I like is...

What I like is that Microsoft admitted that thes problems are real however, they will release a patch only at the regular time of month. I think it is pretty good when you have a critcal flaw, you admit you have it yet you won't release a fix because the proper day of the month hasn't arrived yet. I guess it is more important to keep up their monthly patch schedule then it is to quickly make sure that peoples systems are secure.

Another example of Micro-crap.

Robert

Actually. . .

they did say they hadn't decided yet when to release the patch.

Someone else said they probably would only release that on the monthly cycle, and as much as I hate defending MS for any reason, this is basically what IT of most businesses have asked for to make their patching process easier.

There's no exploit yet anyway, and the security company released no helpful information for the bad guys, so we can afford to wait a little bit.

Besides, like others have said, with the High security setting, this flaw doesn't matter. And since I'm running Firefox and Thunderbird, this doesn't matter for me at all. I just get to read about another flaw I get to avoid since I switched. Somewhat refreshing, actually. :)

[Stating]

Microsoft Is Just Patching The Patches

What is apparent is that Microsoft's core technology is unsecure. If this were not the case then we would not still be reading about these weaknesses and exploits YEARS after Gates launched his trustworthy computing initiative.

The fact is that Microsoft operating systems cannot distinguish what is a malicious act and what is not. They do not learn over time how to make this distinction. They also cannot distinguish between processes launched directly by a user or on behalf of a user. I'll venture to say that 95% of the folks reading this are logged on as Admin, or using an account with Admin rights. This is understandable because it is a huge annoyance to have actions fail because of insufficient rights, but it further compromises the system.

What all 3rd party MS security tools have in common is that they attempt to distinguish between malicious and non malicious acts. If an action is potentially malicious, then they give the user the opportunity to allow or disallow the action. If the user guesses wrong, something bad happens.

A recent CNET article on Longhorn asked the question as to whether customers will embrace the new release, be willing to pay for it. A quick review of planned security enhancements in Longhorn leads me to conclude that the core security weaknesses still exist in Longhorn. It is the same old "close the barn door after the horses get out" approach. So no, Longhorn does not represent a compelling upgrade, and next year at this time we will still be reading about new MS security exploits, this time in Longhorn.

Microsoft Details Longhorn Security
Joris Evers, IDG News Service
Thursday, February 26, 2004

"A component of the protection system, dubbed "dynamic system protection," will track which security patches (Keith: bad news) users have installed. The component will make changes to the Windows firewall to fend off any attacks that appear to take advantage of a security flaw that users have not yet patched themselves against. Keith: bad news)

For example, if Microsoft has provided a patch for a flaw (Keith: bad news) involving ActiveX controls, dynamic system protection will block ActiveX controls from running on a Windows system until that patch is installed, Microsoft says.

What does all this mean? Don't look to Microsoft to solve their own security problems (or apparently even find them), because they do not understand the underlying causes.

Keith
www.techcando.com

Oh, that's great. . .

So, they can block you from using a feature until you install their poorly tested security patch that might just destroy the performance of your system?

Aiye. . .

I hate Microsoft.

Finally!

It's so relieving to see another that understands the inherent
insecurity that the registry effective file system core exposes
Windows to! As long as the registry remains, Windows can never
be internet secure!

[201293546946733175101343322673]

Then

What is the SECURE system in the world, may I ask? :)

[unixrules]

Hey Dave, Why'd you post this three times?

Is your system screwed up?

Dave is using IE to post here

heh heh.

Mislabled threat

"The vulnerabilities allow for remote code execution with no actions from the computer user, eEye said."

This would mean that a computer sitting at the login prompt would be vulnerable... which would mean that app servers would also be vulnerable... this gets IT support hopping.

But.... if you read further:
"If a user is tricked (into going) to a site carrying malicious code, they can become infected by just surfing across a banner ad," Nagy said.

That would require USER INTERACTION with the computer.

The sky is not falling.