December 13, 2005 1:23 PM PST

Patches out for IE holes, Sony-related issue

Microsoft on Tuesday provided a fix for a "critical" security flaw in Windows that is being exploited in online attacks against Internet Explorer users.

The software maker released the patch in security bulletin MS05-054, as part of its monthly patching cycle. The update also plugs three other security holes in Internet Explorer, the Web browser component of Windows. One of the other flaws is also deemed critical, but Microsoft said it is not aware of any malicious code that takes advantage of it.

"An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system," Microsoft warned in its security bulletin, referring to the two critical IE flaws. The vulnerabilities exist in all currently supported versions of the browser on all editions of Windows.

The browser security update also tackles part of the fallout from Sony BMG Music Entertainment's rootkit debacle. The browser security update will make it impossible to run older versions of an ActiveX control released by the record label. The software was designed to defuse the issues with an antipiracy tool, but was found to have security problems of its own.

Microsoft's patch release prompted security provider Symantec to raise its ThreatCon global threat index to Level 2, which means an outbreak is expected.

The IE flaws could be used to craft a malicious Web site that will automatically download and run code on a vulnerable PC, if the computer owner visits the site. The compromise could happen without the system owner realizing it, Microsoft said.

"These vulnerabilities are increasingly being used to facilitate online fraud through the installation of malicious software on vulnerable computers," Oliver Friedrichs, a senior manager at Symantec Security Response, said in a statement. "Symantec has already seen exploits for some of these vulnerabilities in the wild and recommends that users apply the updates as quickly as possible."

One serious flaw lies in the way IE handles certain document object model methods, a problem originally reported in May. At that time, experts thought it could only be used for a denial-of-service attack that crashed IE. But in November, experts raised an alarm on the issue, after it was discovered that the flaw could be used to remotely run code on a vulnerable computer.

Microsoft itself has warned that the hole is actively being exploited to download malicious code to vulnerable systems. Security-monitoring company Secunia deems the problem "extremely critical," its rarely given highest rating.

The second critical IE bug patched Tuesday is similar to issues addressed in Microsoft's October, August and July security bulletins. This month's update cuts links between IE and other pieces of Microsoft software that the Web browser can call on inappropriately, a technique that could be used to compromise a system, Microsoft said.

Less severe IE problems
The other two IE security holes addressed in the bulletin represent less of a risk, according to Microsoft's ratings. One is related to the way the browser displays the dialog box for file downloads. A PC user who visits a malicious Web site could be tricked into running malicious code because of the problem, the software maker said.

The other issue could let an attacker see which Web sites a PC user is visiting, even if a connection to the site being visited is encrypted (typically shown by an address that start with "https"). This could occur only when the system owner connects to the Internet via a specific kind of proxy server, Microsoft said.

Beyond IE, Microsoft offered a fix for a privilege-elevation flaw in Windows 2000. This flaw could let an attacker take complete control of an affected system, but requires the intruder to have local access to the machine, Microsoft said in security bulletin MS05-055.

Microsoft urges users to apply the patches. Users of Microsoft patching mechanisms, such as Windows Automatic Updates, do not typically need to take action to receive the patches. Microsoft urges other people to download and install the fixes from its Web site.

9 comments

Join the conversation!
Add your comment
Last week, this week, next week, more MS flaws expected.
<Broken record mode on> The single most effective way to protect yourself on-line is, never use Microsoft software.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
<Broken record mode on>
And what, patch again and again OSX, Safari, Linux or UNIX boxes instead?
&lt;/Broken record mode on&gt;
Posted by catchall (245 comments )
Link Flag
A SONY DRM rootkit total removal tool it ain't!
Hmm, after visiting Microsoft, and reading the fine print,this tool is merely a rootkit decloaking device only that leaves the basic SONY DRM intact, very much like the original F4I hack job.
Me, the two choices are either follow Mark Rusinovich's way to manually disinfect and remove or a complete clean, reformat harddrive and system reinstall!
At least with the last alternatives, you remove the unwanted malicious phone home/ system resources drag this trojan creates!
Posted by heystoopid (691 comments )
Reply Link Flag
Reformat and Re-install
I agree! A reformat and re-install of windows (if one is using windows), is, to my way of thinking the best method of getting rid of this
rootkit. I would also add for those who are not aware of what they call, DRM, to become aware of what DRM is. If you put a Commercial Music CD or Movie DVD into your computer's CD or DVD drive, In my opinion, you are taking a chance on getting your Computer infected with any number of spyware's, addware's or worse.
Posted by acklark (10 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.