Critical flaws in IE and Outlook discovered

update A new set of highly critical flaws has been discovered in Microsoft's Internet Explorer and Outlook programs, according to research company eEye Digital Security.

The vulnerabilities allow for remote code execution with no actions from the computer user, eEye said. Although the flaws would not allow self-propagating worms to infiltrate a system, there is the potential of attackers installing backdoor Trojans without a person's knowledge, Ben Nagy, an eEye senior security engineer, said Friday.

"If a user is tricked (into going) to a site carrying malicious code, they can become infected by just surfing across a banner ad," Nagy said.

eEye notified Microsoft several days ago of the flaws in the default installation of Outlook and IE and is giving the software giant time to develop a patch before releasing details on which versions of the software are affected, Nagy said.

For now, only a few details are included in eEye's page of upcoming advisories.

Nagy added that eEye is also still conducting its own testing of various platforms to evaluate which ones are affected and to what degree.

No exploits are known to have been developed yet, Nagy said.

"Microsoft has acknowledged a vulnerability does exist and is real, but I doubt they will release a patch out of (their monthly) cycle," Nagy said.

Microsoft, meanwhile, said it is investigating privately reported, possible vulnerabilities in Microsoft Windows.

"At this time, Microsoft is not aware of any malicious attacks attempting to exploit the reported vulnerabilities, and there is no customer impact based on this issue," said a company spokeswoman. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through a service pack, our monthly release process or an out-of-cycle security update, depending on customer needs."

[Pixelslave]

Several "Days"

>> eEye notified Microsoft several days ago of the flaws in the default installation of Outlook and IE and is giving the software giant time to develop a patch before releasing details on which versions of the software are affected, Nagy said.

Wow! They gave MS several DAYS to create a patch.

Aren't these "security" consultants wonderful. Everyone has to pay attention to them immediately. If not, you are the bad guy.

Several days are not even enough for investigation if a company is serious in solving the problem!

Get a live, guys!

PixelSlave

[Earl Benser]

What's the news????

IE and Outlook are basically defective programs, cobbled
together to beat Netscape, and in the process, became to source
of much of Windows key coding. That's innovation for you. IE
and Outlook were badly conceived, badly written, badly
integrated, and now cannot be really changed without screwing
up Windows too.

Anyhow, it's nice that MS has people looking out for their
interests. I just wish MS was looking out for its customers
interests.

Maybe that's why I am a MS cusotmer so rarely.

[Buzz_Friendly]

I'am shocked

Let me help CNET out. I think you could safely rerun on every Friday that a new flaw was found in IE and Outlook. Wheres the news in this?

[jv]

Not possible with HIGH security setting.

If browser is set to HIGH security then NO scripts can run. The only vulnerability should be the HTML help issue which has already been patched.

I claim that any browser that runs any version of java is vulnerable. As holes are closed the attacks will concentrate on this area for all browsers.

What I like is...

What I like is that Microsoft admitted that thes problems are real however, they will release a patch only at the regular time of month. I think it is pretty good when you have a critcal flaw, you admit you have it yet you won't release a fix because the proper day of the month hasn't arrived yet. I guess it is more important to keep up their monthly patch schedule then it is to quickly make sure that peoples systems are secure.

Another example of Micro-crap.

Robert

[Stating]

Microsoft Is Just Patching The Patches

What is apparent is that Microsoft's core technology is unsecure. If this were not the case then we would not still be reading about these weaknesses and exploits YEARS after Gates launched his trustworthy computing initiative.

The fact is that Microsoft operating systems cannot distinguish what is a malicious act and what is not. They do not learn over time how to make this distinction. They also cannot distinguish between processes launched directly by a user or on behalf of a user. I'll venture to say that 95% of the folks reading this are logged on as Admin, or using an account with Admin rights. This is understandable because it is a huge annoyance to have actions fail because of insufficient rights, but it further compromises the system.

What all 3rd party MS security tools have in common is that they attempt to distinguish between malicious and non malicious acts. If an action is potentially malicious, then they give the user the opportunity to allow or disallow the action. If the user guesses wrong, something bad happens.

A recent CNET article on Longhorn asked the question as to whether customers will embrace the new release, be willing to pay for it. A quick review of planned security enhancements in Longhorn leads me to conclude that the core security weaknesses still exist in Longhorn. It is the same old "close the barn door after the horses get out" approach. So no, Longhorn does not represent a compelling upgrade, and next year at this time we will still be reading about new MS security exploits, this time in Longhorn.

Microsoft Details Longhorn Security
Joris Evers, IDG News Service
Thursday, February 26, 2004

"A component of the protection system, dubbed "dynamic system protection," will track which security patches (Keith: bad news) users have installed. The component will make changes to the Windows firewall to fend off any attacks that appear to take advantage of a security flaw that users have not yet patched themselves against. Keith: bad news)

For example, if Microsoft has provided a patch for a flaw (Keith: bad news) involving ActiveX controls, dynamic system protection will block ActiveX controls from running on a Windows system until that patch is installed, Microsoft says.

What does all this mean? Don't look to Microsoft to solve their own security problems (or apparently even find them), because they do not understand the underlying causes.

Keith
www.techcando.com

Finally!

It's so relieving to see another that understands the inherent
insecurity that the registry effective file system core exposes
Windows to! As long as the registry remains, Windows can never
be internet secure!

[unixrules]

Hey Dave, Why'd you post this three times?

Is your system screwed up?

Mislabled threat

"The vulnerabilities allow for remote code execution with no actions from the computer user, eEye said."

This would mean that a computer sitting at the login prompt would be vulnerable... which would mean that app servers would also be vulnerable... this gets IT support hopping.

But.... if you read further:
"If a user is tricked (into going) to a site carrying malicious code, they can become infected by just surfing across a banner ad," Nagy said.

That would require USER INTERACTION with the computer.

The sky is not falling.