Redmond may be the only one ignoring the critical Internet Explorer vulnerability: Secunia has posted more information about the threat, and a Trojan horse that takes advantage of the vulnerability has also surfaced.

Details

The Internet Explorer vulnerability that I focused on in my last column still remains unpatched at the time of this writing. And attackers are taking advantage of Microsoft's sluggishness.

Reports surfaced last week of malicious software on the Web that exploits the security flaw to download a Trojan horse to vulnerable computers. And that's in addition to the already available exploit code on the Web.

Secunia Advisory 15546 classifies the threat as an extremely critical vulnerability that affects fully patched IE 6.0 on Windows XP Service Pack 2 and IE 6.0 on Windows 2000 SP4 systems. It also apparently affects IE 5.5.

This vulnerability has received the MITRE/CERT candidate reference number CAN-2005-1790, which lists the following references:

This is a JavaScript threat triggered when the window() function calls and initializes malicious code. Here is the example listed by Secunia:

<body onload="window();">

Meanwhile, according to SecurityFocus.com, eEye Digital Security has discovered a remote code execution threat in multiple versions of Real Networks RealPlayer, which affects several Windows versions as well as some UNIX and Linux versions. While no reports of exploits have surfaced yet, the widespread use of RealPlayer and the large number of versions affected (most, perhaps all, versions through 10.5) could make this a serious threat.

In any case, this vulnerability bears monitoring for any potential fix that Real Networks makes available. So far, I haven't seen any response from Real Networks to the report, which first posted on November 30.

Final word

On the more general security front, the 9-11 commission is openly discussing how badly the federal government has responded to the most glaring vulnerabilities that the panel exposed in its July 2004 report. Personally, I expected exactly what happened in New Orleansâ€"which many view as a dress rehearsal for a major terrorist attack.

Several years ago, I resigned a post as an emergency management coordinator because of the wasting of 9/11 funds. Essentially, I had no way of communicating with emergency workers and therefore no way of coordinating disaster response because I couldn't get a radio with the right frequencies.

The exact situation exists today. This is a major failing that the federal government could have easily addressed with a tiny portion of the billions of dollars since spent on homeland security.

While this may not specifically involve computer security, the failure to prepare adequately for a major, credible, and known threat is indicative of the government's overall attitude toward security concerns in general. And that's particularly alarming with so many of the Internet's central elements based in the United States. Remember: It doesn't take a direct threat to the Internet's infrastructure to cause a major disruption.

Also watch for...

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.