Microsoft mulls rushing out IE patch

Microsoft may rush out a security update for Internet Explorer to fix a flaw that is now being exploited to attack Windows systems, security companies say.

Computer code that demonstrates how a hacker can use the flaw to take over a PC was released onto the Net on Thursday. At least two such exploits were made public, and one has now been adapted to attack systems, Monty IJzerman, the manager of security content at McAfee, said on Friday.

"This exploit code is being used in the wild in malware," or malicious software, IJzerman said. "I expect other attacks to be prepared and to be out there over the next few days."

In a security advisory issued Thursday, Microsoft said it will address the vulnerability in a security update, but did not say when that patch would be delivered. Its next "Patch Tuesday" bundle of fixes is scheduled for April 11. On Friday, however, Microsoft indicated that a security patch might be released outside of the regular cycle.

"It is on the table," said Stephen Toulouse, a program manager in Microsoft's Security Response Center. "Every time any kind of exploitation is going on, it is on the table."

The flaw is the third to hit Microsoft this week. It has to do with how Internet Explorer handles the "createTextRange()" tag in Web pages. A hacker could take advantage of it to gain control over a vulnerable PC by crafting a specially coded Web site, Microsoft said.

McAfee found that a Web site is using the IE vulnerability to sneak malicious code onto vulnerable Windows PCs, IJzerman said. The company has updated its security software to protect against that code, which IJzerman could only describe as something related to spyware.

Security companies Sunbelt Software and Websense have also reported seeing attacks out on the Internet.

Symantec had not yet seen the attack on Friday, but said it expected to see them. "There is a lot of financial incentive to exploit this stuff and foist nasty, unwanted things onto people's desktops without their consent," Dave Cole, a director at Symantec Security Response, said.

Typically, what gets installed on a PC using such flaws is adware, spyware or software that turns a PC into a zombie in a botnet used in other cyberattacks. An unpatched flaw is attractive to attackers, since people will not have received an update from Microsoft to protect their systems.

The last time Microsoft issued a fix early was in January. Microsoft rushed out a fix for a serious vulnerability in the way Windows handled the Windows Meta File image format. That flaw was also being abused to attack Windows users.

Meanwhile, Microsoft has offered a work-around for users to protect themselves. Disabling active scripting in the browser will prevent the attack, according to the Microsoft security advisory.

The flaw affects fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2 as well as IE 7 Beta 2 Preview, according to security experts. Microsoft, however, in its advisory lists the IE7 browser as immune.

[booboo1243]

Do the world a favor, stop using IE

The single most effective way to protect yourself on the internet is, never use Microsoft products.

[booboo1243]

Do the world a favor, stop using IE

The single most effective way to protect yourself on the internet is, never use Microsoft products.

[206538395198018178908092208948]

Correct! Use alternative browser is the best bet.

There are choises, alternatives. Products built to succeed on inovation not monopolistic practices. Do yourself and everyone around you a favor...be safe, be compatible, use non-Microsoft products.

[206538395198018178908092208948]

Correct! Use alternative browser is the best bet.

There are choises, alternatives. Products built to succeed on inovation not monopolistic practices. Do yourself and everyone around you a favor...be safe, be compatible, use non-Microsoft products.

[aabcdefghij987654321]

isn't someone from MS, namely Bill G., in jail?

If Bill Gates was the CEO if General Motors and produced cars with the same quality as MS products he would be in jail. His products have killed people, such as the death associated with the 2003 blackout caused by a Microsoft worm. (Blaster was it?)

[nhandler]

I hate that example and here's why...

There is no sound correlation between software and automobiles. By your same reasoning, General Motors should be responsible for Hurricane Katrina since their automobiles were associated with global warming that caused the hurricane. One cannot extend responsibility indefinetly without running into the fact that people choose to use Windows and people choose to use automobiles, all the while realizing that unintended consequences may ensue as a result of that usage.

[Bob Brinkman]

BS

http://www.pserc.wisc.edu/Resources.htm

The worm didn't cause the blackout. Even if it did it wasn't MS that created the Worm. It's like trying to hold Ginsu responsable it some one gets stabbed to death with one of their knives.

[aabcdefghij987654321]

isn't someone from MS, namely Bill G., in jail?

If Bill Gates was the CEO if General Motors and produced cars with the same quality as MS products he would be in jail. His products have killed people, such as the death associated with the 2003 blackout caused by a Microsoft worm. (Blaster was it?)

[nhandler]

I hate that example and here's why...

There is no sound correlation between software and automobiles. By your same reasoning, General Motors should be responsible for Hurricane Katrina since their automobiles were associated with global warming that caused the hurricane. One cannot extend responsibility indefinetly without running into the fact that people choose to use Windows and people choose to use automobiles, all the while realizing that unintended consequences may ensue as a result of that usage.

[Bob Brinkman]

BS

http://www.pserc.wisc.edu/Resources.htm

The worm didn't cause the blackout. Even if it did it wasn't MS that created the Worm. It's like trying to hold Ginsu responsable it some one gets stabbed to death with one of their knives.

[aabcdefghij987654321]

Previous subject should have starteed with "Why"

Dunno what happened there...Maybe CNet uses Microsoft servers and a virus ate it.

[aabcdefghij987654321]

Previous subject should have starteed with "Why"

Dunno what happened there...Maybe CNet uses Microsoft servers and a virus ate it.

[aabcdefghij987654321]

Previous subject should have started with "Why"

Dunno what happened there...Maybe CNet uses Microsoft servers and a virus ate it.

[aabcdefghij987654321]

Previous subject should have started with "Why"

Dunno what happened there...Maybe CNet uses Microsoft servers and a virus ate it.

[nhandler]

Isn't mulling and rushing sort of oxymoronic?

Or just moronic? Microsoft has to get their act together, they are so slow to respond to threats and they have such a promising architecture with which to automatically patch their programs it seems folly to withhold!

[Earl Benser]

Sort of like 'laid back panic'....

;-)

[nhandler]

Isn't mulling and rushing sort of oxymoronic?

Or just moronic? Microsoft has to get their act together, they are so slow to respond to threats and they have such a promising architecture with which to automatically patch their programs it seems folly to withhold!

[Earl Benser]

Sort of like 'laid back panic'....

;-)

[Black-Magic]

XP the Best OS

Long ago, I believed that windows XP was the best OS?Too bad hackers feel the same way.END

[mcadoar]

Hardly

Hackers do not believe XP (or windows at all) is the best OS. if someone is a true hacker (i.e. not the "weekend hobbyist" type, but someone who either hacks things for a living, or even someone like myself, who does legal hacking (legitimately recovering passwords, etc)) then they'd never claim windows is even a good OS, much less the best one.

In this case, the reason hackers find these bugs - and more importantly, write code to exploit them - is because the majority of insecure systems are windows-based. Recent surveys have shown that over 90% of all "home computing" users (people that don't use computers in a business setting, or basically, people who don't have an IT manager or department (small bsuinesses are included in "home computing")) didn't even know Linux exists. Linux is actually older than DOS or windows, so that's a bit suprising. A survey of people in the IT field, on the other hand, shows that around 75% or more of people in the IT field not only believe Linux is a more secure OS, but also run it personally on their own computers. Since most linux computers (mainly servers, which can't afford downtime) run a Linux or UNIX OS, IT people are forced to keep them secure and updated. The average home computing user doesn't do that. or example, most windows XP home users (over 80% of them, actually) use their computer as an "administrator." On linux, no IT pro in their right mind would allow that for even two seconds. Another study suggests that over half of all malware could be prevented simply by web browsing and checking email under aseperate, "limited user" account, since the malware will either fail to install or fail to run without admin privlages.

In short, the reason hackers choose windows as their target is because they're easier targets. They're insecure systems on unpotected lines with patches and updates which people don't want to install because "they don't want to close 50 windows to reboot and lose all their work."

One more note: On linux, this would've been fixed already. Linux would be immune to this bug since it's internet-explorer-specific, however on linux, the average time from an exploit discovery in the kernel (the operating system itself, not counting programs) to the fix being released for public download is less than 8 hours. It's been two days since the second bug alone, and still we have no fix. Part of a grea operating system is the support behind it. Microsoft's tech support has always been lackluster at best. In linux, it's true that you can't always rely on things being fixed, but what I've found is that when you've got people who are doing something because they have a passion for it, they always work harder than those who are just getting paid for it. There's a reaoson they call us (myself included) "Linux Fanatics" - we're happy to promote what we have, but linux users have a big sense of community, and therefore when Linux has a problem, then out of 22 million people who are passionate about it, somebody somewhere will more than likely fix it.

[Bill Dautrive]

On planet stupid it is

:)

[Black-Magic]

XP the Best OS

Long ago, I believed that windows XP was the best OS?Too bad hackers feel the same way.END

[mcadoar]

Hardly

Hackers do not believe XP (or windows at all) is the best OS. if someone is a true hacker (i.e. not the "weekend hobbyist" type, but someone who either hacks things for a living, or even someone like myself, who does legal hacking (legitimately recovering passwords, etc)) then they'd never claim windows is even a good OS, much less the best one.

In this case, the reason hackers find these bugs - and more importantly, write code to exploit them - is because the majority of insecure systems are windows-based. Recent surveys have shown that over 90% of all "home computing" users (people that don't use computers in a business setting, or basically, people who don't have an IT manager or department (small bsuinesses are included in "home computing")) didn't even know Linux exists. Linux is actually older than DOS or windows, so that's a bit suprising. A survey of people in the IT field, on the other hand, shows that around 75% or more of people in the IT field not only believe Linux is a more secure OS, but also run it personally on their own computers. Since most linux computers (mainly servers, which can't afford downtime) run a Linux or UNIX OS, IT people are forced to keep them secure and updated. The average home computing user doesn't do that. or example, most windows XP home users (over 80% of them, actually) use their computer as an "administrator." On linux, no IT pro in their right mind would allow that for even two seconds. Another study suggests that over half of all malware could be prevented simply by web browsing and checking email under aseperate, "limited user" account, since the malware will either fail to install or fail to run without admin privlages.

In short, the reason hackers choose windows as their target is because they're easier targets. They're insecure systems on unpotected lines with patches and updates which people don't want to install because "they don't want to close 50 windows to reboot and lose all their work."

One more note: On linux, this would've been fixed already. Linux would be immune to this bug since it's internet-explorer-specific, however on linux, the average time from an exploit discovery in the kernel (the operating system itself, not counting programs) to the fix being released for public download is less than 8 hours. It's been two days since the second bug alone, and still we have no fix. Part of a grea operating system is the support behind it. Microsoft's tech support has always been lackluster at best. In linux, it's true that you can't always rely on things being fixed, but what I've found is that when you've got people who are doing something because they have a passion for it, they always work harder than those who are just getting paid for it. There's a reaoson they call us (myself included) "Linux Fanatics" - we're happy to promote what we have, but linux users have a big sense of community, and therefore when Linux has a problem, then out of 22 million people who are passionate about it, somebody somewhere will more than likely fix it.

[Bill Dautrive]

On planet stupid it is

:)

[wakizaki]

Is this a Problem?!

dude, check if you have linux-wlan-ng or ndiswrapper. Also, you should have did some reseach which chipsets are supported on GNU/Linux. All in all, it helps to google around...

[wakizaki]

Is this a Problem?!

dude, check if you have linux-wlan-ng or ndiswrapper. Also, you should have did some reseach which chipsets are supported on GNU/Linux. All in all, it helps to google around...

[dogeasy]

Active scripting

How do you disable "active scripting"?

[dogeasy]

Active scripting

How do you disable "active scripting"?

[youcrazytiger]

tabbed browsing and IE

when is IE coming out with tabbed browsing?

[youcrazytiger]

tabbed browsing and IE

when is IE coming out with tabbed browsing?