Redmond may be the only one ignoring the critical Internet
Explorer vulnerability: Secunia has posted more information about the threat,
and a Trojan horse that takes advantage of the vulnerability has also surfaced.


The Internet Explorer vulnerability that I focused on in my
last column
still remains unpatched at the time of this writing. And attackers
are taking advantage of Microsoft’s sluggishness.

Reports surfaced last week of malicious software on the Web that
exploits the
security flaw
to download a Trojan horse to vulnerable computers. And
that’s in addition to the already available
exploit code on the Web

Secunia Advisory 15546 classifies the threat as
an extremely critical vulnerability that affects fully patched IE 6.0 on
Windows XP Service Pack 2 and IE 6.0 on Windows 2000 SP4 systems. It also
apparently affects IE 5.5.

This vulnerability has received the MITRE/CERT candidate
reference number CAN-2005-1790, which lists the following references:

This is a JavaScript threat triggered when the window()
function calls and initializes malicious code. Here is the example listed by

<body onload="window();">

Meanwhile, according to, eEye Digital
Security has discovered a remote
code execution threat in multiple versions of Real Networks RealPlayer
which affects several Windows versions as well as some UNIX and Linux versions.
While no reports of exploits have surfaced yet, the widespread use of RealPlayer
and the large number of versions affected (most, perhaps all, versions through
10.5) could make this a serious threat.

In any case, this vulnerability bears monitoring for any
potential fix that Real Networks makes available. So far, I haven’t seen any response
from Real Networks to the report, which first posted on November 30.

Final word

On the more general security front, the 9-11 commission
is openly discussing
how badly the federal government has responded to the
most glaring vulnerabilities that the panel exposed in its July 2004 report. Personally,
I expected exactly what happened in New Orleans—which many view as a dress
rehearsal for a major terrorist attack.

Several years ago, I resigned a post as an emergency
management coordinator because of the wasting of 9/11 funds. Essentially, I had
no way of communicating with emergency workers and therefore no way of coordinating
disaster response because I couldn’t get a radio with the right frequencies.

The exact situation exists today. This is a major failing
that the federal government could have easily addressed with a tiny portion of
the billions of dollars since spent on homeland security.

While this may not specifically involve computer security, the
failure to prepare adequately for a major, credible, and known threat is indicative
of the government’s overall attitude toward security concerns in general. And
that’s particularly alarming with so many of the Internet’s central elements
based in the United States. Remember: It doesn’t take a direct threat to the
Internet’s infrastructure to cause a major disruption.

Also watch for…

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.