Internet Explorer continues to sprout new vulnerabilities,
and attackers aren’t wasting any time exploiting them. While Microsoft hasn’t
yet provided a patch, it has released the beta version of Windows Live, which could
have security implications of its own.

Details

Several new
vulnerabilities have shown up lately in Microsoft’s Internet Explorer browser.
However, at the time of this writing, Microsoft has only addressed one of them—and
minimally at that. This is the remote code execution threat I mentioned in my last article.

Redmond had yet to mention any of the other holes, and I really
can’t offer much advice other than increasing your general security stance—don’t
open attachments, don’t visit strange Web sites, you know the drill. But keep in
mind that with an ongoing threat, any of this could change at a moment’s notice,
so keep checking for new information.

For example, Microsoft updated its Security
Advisory 917077 (“Vulnerability in the way HTML Objects Handle
Unexpected Method Calls Could Allow Remote Code Execution”) on March 24,
28, and 29. The last update included a link to Microsoft
Security Advisory 912945 (“Non-Security Update for Internet
Explorer”), which indicates that the upcoming security patch will include
the ActiveX changes described in the advisory.

The threat covered by Security Advisory 917077
(CVE-2006-1359)
affects IE 5.01 Service Pack 4 (on Windows 2000 SP4), IE 6 SP1 (on Windows 2000
SP4 and Windows XP SP1), IE 6 (on Windows XP SP2, Windows Server 2003, and Windows
Server 2003 SP1, including Itanium and 64-bit versions), as well as IE 6 SP1 on
older Windows versions (Windows 98, Windows 98 SE, and Windows ME). Microsoft says
it will release a security bulletin for this threat.

Although this is a critical threat, antivirus software will
mitigate the actual malware sent via this attack vector, so keeping antivirus software
database signatures will help protect systems. The bad news is that antivirus
tools only protect against known infections—but attackers can use the
vulnerability in IE to install new malware if they stay ahead of new virus
signatures.

Microsoft’s delay in patching this critical actively
exploited threat, which you can probably expect on April’s Patch Tuesday, has
caused several
companies to release
their own patches. However, remember that such fixes always carry a serious
possibility of a malicious attack sneaking in under the guise of a patch. But that’s
not a condemnation of any particular third-party patch. If you know and trust
one, you may wish to install it at your own risk.

Microsoft Lives it up

Microsoft’s Windows
Live Web site is now in beta. Even if you don’t have the slightest interest
in what this
new offering can do, I recommend checking it out to get an idea of what
Redmond has in mind. Parts of this initiative focus directly on business users,
so—at least from a security standpoint—you need to be aware of it and the
potential for problems.

The new suite of tools begins with
Live.com, a news aggregator that’s also a portal for those who want to
integrate all of their Internet tools in one place. Live.com combines news,
search, a toolbar that blocks pop-ups and warns of identity theft scams, e-mail,
MSN Messenger (does anyone in
business trust Messenger, by the way?), and other Live-specific offerings.

On the security front, Live OneCare
provides virus and firewall protection, as well as backup tools. In addition, Live
Safety Center runs tune-ups, cleans up files, and checks PCs for viruses and
spyware. (Of course, most of these sites only work correctly with IE.)

A primary focus of Windows Live is to
increase and facilitate online collaboration. While this will more than likely
help boost productivity, keep in mind that such collaboration does have
security implications.

Because Windows Live is currently in beta,
there’s simply no way to evaluate the potential threats posed from moving some
of your company’s collaboration. However, as a security professional, this is
something you do need to keep in mind.

Final word

The IE vulnerability is critical. While there are several
more out there that may be just as bad, no exploits have appeared in the wild
yet. Microsoft needs to get a patch out for this threat ASAP.

As for Windows Live, I recommend checking it out because some
of your users will more than likely do the same. Before they propose that the
organization use it to collaborate, it’s vital that you understand what threats
it might pose. One strange aspect that I’ve noticed is that
this tool, which emphasizes safety and performance, keeps trying to get me to
download and install Macromedia Flash Player.

At this point, I can see a limited potential for cautious
short-term business use of some of Windows Live’s related features. I’ll be
further exploring this new offering in future articles.

Also watch for…

  • In
    what’s certain to be a boost for Linux, Microsoft has announced plans to host SuSE
    and Red Hat Linux versions in Virtual Server 2005 R2    . It will be a
    free download that will allow multiple OSes to run on a single machine. (If
    readers of my
    TechRepublic blog     were looking for more evidence that Microsoft faces
    big competition from UNIX, this announcement should prove that Redmond
    sees the potential of Linux.)
  • In
    what’s bound to be yet another potential headache for IT managers trying
    to keep bandwidth use down and productivity up, many of the large movie
    studios have announced plans to begin selling downloads of feature movies.
    And you thought downloading MP3 files was taking up a lot of employee time!

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.