Windows

Exploits of recent IE flaw continue

More vulnerabilities have surfaced in Internet Explorer, and Microsoft is still working on a patch. Get the details about this and other security issues in this edition of the IT Locksmith.

Internet Explorer continues to sprout new vulnerabilities, and attackers aren't wasting any time exploiting them. While Microsoft hasn't yet provided a patch, it has released the beta version of Windows Live, which could have security implications of its own.

Details

Several new vulnerabilities have shown up lately in Microsoft's Internet Explorer browser. However, at the time of this writing, Microsoft has only addressed one of them—and minimally at that. This is the remote code execution threat I mentioned in my last article.

Redmond had yet to mention any of the other holes, and I really can't offer much advice other than increasing your general security stance—don't open attachments, don't visit strange Web sites, you know the drill. But keep in mind that with an ongoing threat, any of this could change at a moment's notice, so keep checking for new information.

For example, Microsoft updated its Security Advisory 917077 ("Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution") on March 24, 28, and 29. The last update included a link to Microsoft Security Advisory 912945 ("Non-Security Update for Internet Explorer"), which indicates that the upcoming security patch will include the ActiveX changes described in the advisory.

The threat covered by Security Advisory 917077 (CVE-2006-1359) affects IE 5.01 Service Pack 4 (on Windows 2000 SP4), IE 6 SP1 (on Windows 2000 SP4 and Windows XP SP1), IE 6 (on Windows XP SP2, Windows Server 2003, and Windows Server 2003 SP1, including Itanium and 64-bit versions), as well as IE 6 SP1 on older Windows versions (Windows 98, Windows 98 SE, and Windows ME). Microsoft says it will release a security bulletin for this threat.

Although this is a critical threat, antivirus software will mitigate the actual malware sent via this attack vector, so keeping antivirus software database signatures will help protect systems. The bad news is that antivirus tools only protect against known infections—but attackers can use the vulnerability in IE to install new malware if they stay ahead of new virus signatures.

Microsoft's delay in patching this critical actively exploited threat, which you can probably expect on April's Patch Tuesday, has caused several companies to release their own patches. However, remember that such fixes always carry a serious possibility of a malicious attack sneaking in under the guise of a patch. But that's not a condemnation of any particular third-party patch. If you know and trust one, you may wish to install it at your own risk.

Microsoft Lives it up

Microsoft's Windows Live Web site is now in beta. Even if you don't have the slightest interest in what this new offering can do, I recommend checking it out to get an idea of what Redmond has in mind. Parts of this initiative focus directly on business users, so—at least from a security standpoint—you need to be aware of it and the potential for problems.

The new suite of tools begins with Live.com, a news aggregator that's also a portal for those who want to integrate all of their Internet tools in one place. Live.com combines news, search, a toolbar that blocks pop-ups and warns of identity theft scams, e-mail, MSN Messenger (does anyone in business trust Messenger, by the way?), and other Live-specific offerings.

On the security front, Live OneCare provides virus and firewall protection, as well as backup tools. In addition, Live Safety Center runs tune-ups, cleans up files, and checks PCs for viruses and spyware. (Of course, most of these sites only work correctly with IE.)

A primary focus of Windows Live is to increase and facilitate online collaboration. While this will more than likely help boost productivity, keep in mind that such collaboration does have security implications.

Because Windows Live is currently in beta, there's simply no way to evaluate the potential threats posed from moving some of your company's collaboration. However, as a security professional, this is something you do need to keep in mind.

Final word

The IE vulnerability is critical. While there are several more out there that may be just as bad, no exploits have appeared in the wild yet. Microsoft needs to get a patch out for this threat ASAP.

As for Windows Live, I recommend checking it out because some of your users will more than likely do the same. Before they propose that the organization use it to collaborate, it's vital that you understand what threats it might pose. One strange aspect that I've noticed is that this tool, which emphasizes safety and performance, keeps trying to get me to download and install Macromedia Flash Player.

At this point, I can see a limited potential for cautious short-term business use of some of Windows Live's related features. I'll be further exploring this new offering in future articles.


Also watch for…

  • In what's certain to be a boost for Linux, Microsoft has announced plans to host SuSE and Red Hat Linux versions in Virtual Server 2005 R2. It will be a free download that will allow multiple OSes to run on a single machine. (If readers of my TechRepublic blog were looking for more evidence that Microsoft faces big competition from UNIX, this announcement should prove that Redmond sees the potential of Linux.)
  • In what's bound to be yet another potential headache for IT managers trying to keep bandwidth use down and productivity up, many of the large movie studios have announced plans to begin selling downloads of feature movies. And you thought downloading MP3 files was taking up a lot of employee time!

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks