Microsoft discloses serious vulnerability in IE

Microsoft has released Security Advisory 911302, which discusses a serious vulnerability in most versions of Internet Explorer, a problem the software giant has known about for six months. In this edition of the IT Locksmith, get the details about this IE threat, and get the best of the rest of recent security news.

Redmond is finally addressing a not-so-new vulnerability in Internet Explorer, but a patch is still on the drawing board. Meanwhile, Sony's recent spyware incident has spurred the U.S. Congress to get involved, and the Sober worm looks to come home for the holidays.

Microsoft admits major IE hole

Redmond has released Microsoft Security Advisory 911302, which reveals that the company is investigating reports of a serious vulnerability in Internet Explorer. Furthermore, the software giant has disclosed that it has known about the security hole for more than six months. (Reports of the vulnerability first surfaced in May 2005.)

Apparently, because the problem was originally a "stability issue," Microsoft didn't consider it serious enough to patch. However, Redmond has now upgraded the problem to a remote code execution threat—a disclosure that came only after exploit code, as well as reports of attacks, surfaced online.

The issue at hand is a critical threat triggered by the inability to handle mismatched Document Object Model Objects. With the exception of Windows Server 2003 and Windows Server 2003 Service Pack 1 (with Enhanced Security Configuration activated), all other Windows OS versions are vulnerable.

Microsoft's initial workaround was to exercise caution when opening links in e-mails. Since then, Microsoft has also suggested increasing IE security settings so the system will prompt the user before running Active Scripting.

The rest of the advisory's advice is virtually useless: Microsoft reminds users to keep systems updated with the most recent security patches—and yet, no patch is available for this threat! The company also suggests calling Microsoft if you experience an attack.

In addition, I would add the suggestion of only opening e-mails in plain text rather than HTML. And as always, never open links in e-mails from unknown senders.

Congress takes on spyware

Spyware is bad enough when you can't pin down the source—but consider how much worse things are when you know the source but can't do anything about it! The recent Sony debacle has really brought the dangers of spyware close to home by showing that even "trusted" vendors may be sticking nasty surprises in their software.

While there have been several government suits brought against Sony, there haven't been as many as one might expect. This small number illustrates that the U.S legal system just isn't ready to deal with spyware threats even when it knows where they come from.

However, the U.S. Congress has stepped in with S.2145: "A bill to regulate the unauthorized installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy, and for other purposes."

Known as the Software Principles Yielding Better Levels of Consumer Knowledge Act—the SPY BLOCK Act—this legislation is currently making its way through Congress. While this bill likely won't stop spyware, it might reduce the number of multinational companies that decide to intentionally plant it on users' systems.

Sober returns

There has been a considerable increase in the number of significant virus and worm attacks in the past two weeks. After several slow, quiet months on the virus front, the Sober worm has returned with a vengeance.

Over the past week, variants have spread across the world, wreaking havoc in undefended systems. The X variant has even made Symantec's threat list, scoring a 3 out of 5 for its risk rating—the first such threat level I've seen in quite a while.

Other Sober variants—including S, T, V, and W—have scored a 2 rating. Of course, Sober is far from the only threat. The Linux.Plupii.B threat has also earned a 2 rating, as have a couple of Mytob variants. A word to the wise: Virus and worm threats aren't dead—they just took the summer off!

Xbox experiences glitches

Only one day after the release of Microsoft's Xbox 360, reports surfaced of problems with the much-anticipated video game console. Apparently, the many crashes reported with the Xbox 360 mostly have to do with overheating.

Any additional cooling measures, such as pointing a fan at it, playing outdoors here in the northern states, or mounting it in such as way as to maximize heat dissipation, seem to reduce problems to manageable levels. I'll bet Microsoft is glad it's about to release those 300,000 models in Europe!

Final word

In a week when reports abound of serious problems with the Xbox 360 (serious enough that I've dropped plans to buy one for now), Microsoft didn't need to remind people that it may be ignoring some very serious known vulnerabilities in its browser. It's certainly bad enough that, just as Cyber Monday (the most intense online shopping day of the year) is upon us, we learn that a serious threat lurks hidden in most versions of Internet Explorer.

It is far worse to learn that the company knew about the vulnerability as early as May—and did absolutely nothing about it publicly. Of course, Redmond likely did nothing about it internally either, or we wouldn't be waiting for the company to determine how and when to patch it.

By the way, if you're planning on getting an Xbox 360 and have a lot of Xbox software, you might want to check out a backward-compatibility list posted on before trashing your old Xbox. On a personal note, I was disappointed to find Project Gotham Racing missing from the compatible list. While Microsoft says the list may increase beyond the current 200-plus titles, I seriously doubt it left off testing Gotham, so I need to factor in the cost of a new copy if and when I decide to splurge on an Xbox 360.

Also watch for …

  • United Business Media, which owns PR Newswire and CMP, has purchased the Black Hat conference. You know security has become a mainstream concern when a big publisher such as CMP buys the rights to an underground hacker convention. But does that mean it will become better?
  • Meanwhile, as those of you running Linux laugh at the latest IE threats and associated Microsoft stumbles, you might want to check out, which has republished an article about how big Linux malware threats are looming on the near horizon.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox