March 24, 2006 5:22 PM PST

Microsoft mulls rushing out IE patch

Microsoft may rush out a security update for Internet Explorer to fix a flaw that is now being exploited to attack Windows systems, security companies say.

Computer code that demonstrates how a hacker can use the flaw to take over a PC was released onto the Net on Thursday. At least two such exploits were made public, and one has now been adapted to attack systems, Monty IJzerman, the manager of security content at McAfee, said on Friday.

"This exploit code is being used in the wild in malware," or malicious software, IJzerman said. "I expect other attacks to be prepared and to be out there over the next few days."

In a security advisory issued Thursday, Microsoft said it will address the vulnerability in a security update, but did not say when that patch would be delivered. Its next "Patch Tuesday" bundle of fixes is scheduled for April 11. On Friday, however, Microsoft indicated that a security patch might be released outside of the regular cycle.

"It is on the table," said Stephen Toulouse, a program manager in Microsoft's Security Response Center. "Every time any kind of exploitation is going on, it is on the table."

The flaw is the third to hit Microsoft this week. It has to do with how Internet Explorer handles the "createTextRange()" tag in Web pages. A hacker could take advantage of it to gain control over a vulnerable PC by crafting a specially coded Web site, Microsoft said.

McAfee found that a Web site is using the IE vulnerability to sneak malicious code onto vulnerable Windows PCs, IJzerman said. The company has updated its security software to protect against that code, which IJzerman could only describe as something related to spyware.

Security companies Sunbelt Software and Websense have also reported seeing attacks out on the Internet.

Symantec had not yet seen the attack on Friday, but said it expected to see them. "There is a lot of financial incentive to exploit this stuff and foist nasty, unwanted things onto people's desktops without their consent," Dave Cole, a director at Symantec Security Response, said.

Typically, what gets installed on a PC using such flaws is adware, spyware or software that turns a PC into a zombie in a botnet used in other cyberattacks. An unpatched flaw is attractive to attackers, since people will not have received an update from Microsoft to protect their systems.

The last time Microsoft issued a fix early was in January. Microsoft rushed out a fix for a serious vulnerability in the way Windows handled the Windows Meta File image format. That flaw was also being abused to attack Windows users.

Meanwhile, Microsoft has offered a work-around for users to protect themselves. Disabling active scripting in the browser will prevent the attack, according to the Microsoft security advisory.

The flaw affects fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2 as well as IE 7 Beta 2 Preview, according to security experts. Microsoft, however, in its advisory lists the IE7 browser as immune.

See more CNET content tagged:
flaw, attack, McAfee Inc., security company, vulnerability

96 comments

Join the conversation!
Add your comment
Do the world a favor, stop using IE
The single most effective way to protect yourself on the internet is, never use Microsoft products.
Posted by booboo1243 (328 comments )
Reply Link Flag
Do the world a favor, stop using IE
The single most effective way to protect yourself on the internet is, never use Microsoft products.
Posted by booboo1243 (328 comments )
Reply Link Flag
Correct! Use alternative browser is the best bet.
There are choises, alternatives. Products built to succeed on inovation not monopolistic practices. Do yourself and everyone around you a favor...be safe, be compatible, use non-Microsoft products.
Posted by 206538395198018178908092208948 (141 comments )
Reply Link Flag
Correct! Use alternative browser is the best bet.
There are choises, alternatives. Products built to succeed on inovation not monopolistic practices. Do yourself and everyone around you a favor...be safe, be compatible, use non-Microsoft products.
Posted by 206538395198018178908092208948 (141 comments )
Reply Link Flag
isn't someone from MS, namely Bill G., in jail?
If Bill Gates was the CEO if General Motors and produced cars with the same quality as MS products he would be in jail. His products have killed people, such as the death associated with the 2003 blackout caused by a Microsoft worm. (Blaster was it?)
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
I hate that example and here's why...
There is no sound correlation between software and automobiles. By your same reasoning, General Motors should be responsible for Hurricane Katrina since their automobiles were associated with global warming that caused the hurricane. One cannot extend responsibility indefinetly without running into the fact that people choose to use Windows and people choose to use automobiles, all the while realizing that unintended consequences may ensue as a result of that usage.
Posted by nhandler (79 comments )
Link Flag
BS
<a class="jive-link-external" href="http://www.pserc.wisc.edu/Resources.htm" target="_newWindow">http://www.pserc.wisc.edu/Resources.htm</a>

The worm didn't cause the blackout. Even if it did it wasn't MS that created the Worm. It's like trying to hold Ginsu responsable it some one gets stabbed to death with one of their knives.
Posted by Bob Brinkman (556 comments )
Link Flag
isn't someone from MS, namely Bill G., in jail?
If Bill Gates was the CEO if General Motors and produced cars with the same quality as MS products he would be in jail. His products have killed people, such as the death associated with the 2003 blackout caused by a Microsoft worm. (Blaster was it?)
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
I hate that example and here's why...
There is no sound correlation between software and automobiles. By your same reasoning, General Motors should be responsible for Hurricane Katrina since their automobiles were associated with global warming that caused the hurricane. One cannot extend responsibility indefinetly without running into the fact that people choose to use Windows and people choose to use automobiles, all the while realizing that unintended consequences may ensue as a result of that usage.
Posted by nhandler (79 comments )
Link Flag
BS
<a class="jive-link-external" href="http://www.pserc.wisc.edu/Resources.htm" target="_newWindow">http://www.pserc.wisc.edu/Resources.htm</a>

The worm didn't cause the blackout. Even if it did it wasn't MS that created the Worm. It's like trying to hold Ginsu responsable it some one gets stabbed to death with one of their knives.
Posted by Bob Brinkman (556 comments )
Link Flag
Previous subject should have starteed with "Why"
Dunno what happened there...Maybe CNet uses Microsoft servers and a virus ate it.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Previous subject should have starteed with "Why"
Dunno what happened there...Maybe CNet uses Microsoft servers and a virus ate it.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Previous subject should have started with "Why"
Dunno what happened there...Maybe CNet uses Microsoft servers and a virus ate it.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Previous subject should have started with "Why"
Dunno what happened there...Maybe CNet uses Microsoft servers and a virus ate it.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Isn't mulling and rushing sort of oxymoronic?
Or just moronic? Microsoft has to get their act together, they are so slow to respond to threats and they have such a promising architecture with which to automatically patch their programs it seems folly to withhold!
Posted by nhandler (79 comments )
Reply Link Flag
Sort of like 'laid back panic'....
;-)
Posted by Earl Benser (4310 comments )
Link Flag
Isn't mulling and rushing sort of oxymoronic?
Or just moronic? Microsoft has to get their act together, they are so slow to respond to threats and they have such a promising architecture with which to automatically patch their programs it seems folly to withhold!
Posted by nhandler (79 comments )
Reply Link Flag
Sort of like 'laid back panic'....
;-)
Posted by Earl Benser (4310 comments )
Link Flag
XP the Best OS
Long ago, I believed that windows XP was the best OS&Too bad hackers feel the same way.END
Posted by Black-Magic (8 comments )
Reply Link Flag
Hardly
Hackers do not believe XP (or windows at all) is the best OS. if someone is a true hacker (i.e. not the "weekend hobbyist" type, but someone who either hacks things for a living, or even someone like myself, who does legal hacking (legitimately recovering passwords, etc)) then they'd never claim windows is even a good OS, much less the best one.

In this case, the reason hackers find these bugs - and more importantly, write code to exploit them - is because the majority of insecure systems are windows-based. Recent surveys have shown that over 90% of all "home computing" users (people that don't use computers in a business setting, or basically, people who don't have an IT manager or department (small bsuinesses are included in "home computing")) didn't even know Linux exists. Linux is actually older than DOS or windows, so that's a bit suprising. A survey of people in the IT field, on the other hand, shows that around 75% or more of people in the IT field not only believe Linux is a more secure OS, but also run it personally on their own computers. Since most linux computers (mainly servers, which can't afford downtime) run a Linux or UNIX OS, IT people are forced to keep them secure and updated. The average home computing user doesn't do that. or example, most windows XP home users (over 80% of them, actually) use their computer as an "administrator." On linux, no IT pro in their right mind would allow that for even two seconds. Another study suggests that over half of all malware could be prevented simply by web browsing and checking email under aseperate, "limited user" account, since the malware will either fail to install or fail to run without admin privlages.

In short, the reason hackers choose windows as their target is because they're easier targets. They're insecure systems on unpotected lines with patches and updates which people don't want to install because "they don't want to close 50 windows to reboot and lose all their work."

One more note: On linux, this would've been fixed already. Linux would be immune to this bug since it's internet-explorer-specific, however on linux, the average time from an exploit discovery in the kernel (the operating system itself, not counting programs) to the fix being released for public download is less than 8 hours. It's been two days since the second bug alone, and still we have no fix. Part of a grea operating system is the support behind it. Microsoft's tech support has always been lackluster at best. In linux, it's true that you can't always rely on things being fixed, but what I've found is that when you've got people who are doing something because they have a passion for it, they always work harder than those who are just getting paid for it. There's a reaoson they call us (myself included) "Linux Fanatics" - we're happy to promote what we have, but linux users have a big sense of community, and therefore when Linux has a problem, then out of 22 million people who are passionate about it, somebody somewhere will more than likely fix it.
Posted by mcadoar (14 comments )
Link Flag
On planet stupid it is
:)
Posted by Bill Dautrive (1179 comments )
Link Flag
XP the Best OS
Long ago, I believed that windows XP was the best OS&Too bad hackers feel the same way.END
Posted by Black-Magic (8 comments )
Reply Link Flag
Hardly
Hackers do not believe XP (or windows at all) is the best OS. if someone is a true hacker (i.e. not the "weekend hobbyist" type, but someone who either hacks things for a living, or even someone like myself, who does legal hacking (legitimately recovering passwords, etc)) then they'd never claim windows is even a good OS, much less the best one.

In this case, the reason hackers find these bugs - and more importantly, write code to exploit them - is because the majority of insecure systems are windows-based. Recent surveys have shown that over 90% of all "home computing" users (people that don't use computers in a business setting, or basically, people who don't have an IT manager or department (small bsuinesses are included in "home computing")) didn't even know Linux exists. Linux is actually older than DOS or windows, so that's a bit suprising. A survey of people in the IT field, on the other hand, shows that around 75% or more of people in the IT field not only believe Linux is a more secure OS, but also run it personally on their own computers. Since most linux computers (mainly servers, which can't afford downtime) run a Linux or UNIX OS, IT people are forced to keep them secure and updated. The average home computing user doesn't do that. or example, most windows XP home users (over 80% of them, actually) use their computer as an "administrator." On linux, no IT pro in their right mind would allow that for even two seconds. Another study suggests that over half of all malware could be prevented simply by web browsing and checking email under aseperate, "limited user" account, since the malware will either fail to install or fail to run without admin privlages.

In short, the reason hackers choose windows as their target is because they're easier targets. They're insecure systems on unpotected lines with patches and updates which people don't want to install because "they don't want to close 50 windows to reboot and lose all their work."

One more note: On linux, this would've been fixed already. Linux would be immune to this bug since it's internet-explorer-specific, however on linux, the average time from an exploit discovery in the kernel (the operating system itself, not counting programs) to the fix being released for public download is less than 8 hours. It's been two days since the second bug alone, and still we have no fix. Part of a grea operating system is the support behind it. Microsoft's tech support has always been lackluster at best. In linux, it's true that you can't always rely on things being fixed, but what I've found is that when you've got people who are doing something because they have a passion for it, they always work harder than those who are just getting paid for it. There's a reaoson they call us (myself included) "Linux Fanatics" - we're happy to promote what we have, but linux users have a big sense of community, and therefore when Linux has a problem, then out of 22 million people who are passionate about it, somebody somewhere will more than likely fix it.
Posted by mcadoar (14 comments )
Link Flag
On planet stupid it is
:)
Posted by Bill Dautrive (1179 comments )
Link Flag
Is this a Problem?!
dude, check if you have linux-wlan-ng or ndiswrapper. Also, you should have did some reseach which chipsets are supported on GNU/Linux. All in all, it helps to google around...
Posted by wakizaki (44 comments )
Reply Link Flag
Is this a Problem?!
dude, check if you have linux-wlan-ng or ndiswrapper. Also, you should have did some reseach which chipsets are supported on GNU/Linux. All in all, it helps to google around...
Posted by wakizaki (44 comments )
Reply Link Flag
Active scripting
How do you disable "active scripting"?
Posted by dogeasy (2 comments )
Reply Link Flag
Active scripting
How do you disable "active scripting"?
Posted by dogeasy (2 comments )
Reply Link Flag
tabbed browsing and IE
when is IE coming out with tabbed browsing?
Posted by youcrazytiger (5 comments )
Reply Link Flag
tabbed browsing and IE
when is IE coming out with tabbed browsing?
Posted by youcrazytiger (5 comments )
Reply Link Flag
Question: I.E.; Answer: Mozilla Firefox 1.5 !
We all know about the pitfalls of M$ I.E. and the answer is simple. Mozilla Firefox 1.5! An open-source, tabbed browser that is customizable, and free! Goto www.mozilla.com, download Firefox 1.5, and use I.E. only for your Windows updates! Stop worrying about I.E. bugs or attacks. Get Firefox 1.5, and get on with the fun of surfing the Web!
Firefox 1.5 just works!
Posted by Jon N. (182 comments )
Reply Link Flag
Question: I.E.; Answer: Mozilla Firefox 1.5 !
We all know about the pitfalls of M$ I.E. and the answer is simple. Mozilla Firefox 1.5! An open-source, tabbed browser that is customizable, and free! Goto www.mozilla.com, download Firefox 1.5, and use I.E. only for your Windows updates! Stop worrying about I.E. bugs or attacks. Get Firefox 1.5, and get on with the fun of surfing the Web!
Firefox 1.5 just works!
Posted by Jon N. (182 comments )
Reply Link Flag
This is why there is no defense of MS
MIcrosoft is one of the few software companies that are reacted, not proactive. Look at open source and apple. Very, very few flaws are actually exploited, and fixes are out in hours, a few days at most.

Meanwhile at MS, flaws are exploited while MS is trying to figure out what to do with it.

MS needs to throw out all of their code and start from scratch. It is garbage, built on garbage and things will never improve until they started over. Pre-OSX macs sucked hard. They threw out everything, built thier OS on a rock solid and stable core and things have been great in AppleLand.

Meanwhile, the bloated and ironically underfeatured Vista is not going anywhere. It is built on a ton of garbage, and superficial paintjobs and barely adequete security rules will not get rid of the stench of the massive garbage heap it is built on.

This is why MS sucks, not only did they write the most bug-ridden collection of code on earth, but they integrated it all, including crap that has no business being a part of any OS.

In short MS is incompetent. There was tons of evidence 10 years ago, and that list od reasons has exploded exponentially since then.
Posted by Bill Dautrive (1179 comments )
Reply Link Flag
RE: This is why there is no defense of MS
It's easy for Apple to start over when hardly anybody uses Apple computers. MS has hundreds of millions of Windows machines worldwide.

MS also has flaws popping up, because so many people target them for attacks. Were Apple to have enough marketshare to make it a worthwhile target, you would see more attcks.

Let's look at it this way... You have one nuke and you want to take out as many people as possible. Do you lob that bomb at Taiwan or NYC, or some small island in the Pacific that has 50 natives living on it?

You go to the most target-rich environment, and in the OS world, that is Windows.

If Apple was so great, people would buy them, but they aren't.
Posted by SquireSCA (2 comments )
Link Flag
This is why there is no defense of MS
MIcrosoft is one of the few software companies that are reacted, not proactive. Look at open source and apple. Very, very few flaws are actually exploited, and fixes are out in hours, a few days at most.

Meanwhile at MS, flaws are exploited while MS is trying to figure out what to do with it.

MS needs to throw out all of their code and start from scratch. It is garbage, built on garbage and things will never improve until they started over. Pre-OSX macs sucked hard. They threw out everything, built thier OS on a rock solid and stable core and things have been great in AppleLand.

Meanwhile, the bloated and ironically underfeatured Vista is not going anywhere. It is built on a ton of garbage, and superficial paintjobs and barely adequete security rules will not get rid of the stench of the massive garbage heap it is built on.

This is why MS sucks, not only did they write the most bug-ridden collection of code on earth, but they integrated it all, including crap that has no business being a part of any OS.

In short MS is incompetent. There was tons of evidence 10 years ago, and that list od reasons has exploded exponentially since then.
Posted by Bill Dautrive (1179 comments )
Reply Link Flag
RE: This is why there is no defense of MS
It's easy for Apple to start over when hardly anybody uses Apple computers. MS has hundreds of millions of Windows machines worldwide.

MS also has flaws popping up, because so many people target them for attacks. Were Apple to have enough marketshare to make it a worthwhile target, you would see more attcks.

Let's look at it this way... You have one nuke and you want to take out as many people as possible. Do you lob that bomb at Taiwan or NYC, or some small island in the Pacific that has 50 natives living on it?

You go to the most target-rich environment, and in the OS world, that is Windows.

If Apple was so great, people would buy them, but they aren't.
Posted by SquireSCA (2 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.