Redmond is finally addressing a not-so-new vulnerability in
Internet Explorer, but a patch is still on the drawing board. Meanwhile, Sony’s
recent spyware incident has spurred the U.S. Congress to get involved, and the
Sober worm looks to come home for the holidays.

Microsoft admits major IE hole

Redmond has released Microsoft
Security Advisory 911302, which reveals that the company is investigating
reports of a serious vulnerability in Internet Explorer. Furthermore, the software
giant has disclosed that it has known about the security hole for more than six
months. (Reports of the vulnerability first surfaced in May 2005.)

Apparently, because the problem was originally a
“stability issue,” Microsoft didn’t consider it serious enough to
patch. However, Redmond has now upgraded the problem to a remote code execution
threat—a disclosure that came only after exploit code, as
well as reports of attacks, surfaced online.

The issue at hand is a critical threat triggered by the
inability to handle mismatched Document Object Model Objects. With the
exception of Windows Server 2003 and Windows Server 2003 Service Pack 1 (with
Enhanced Security Configuration activated), all other Windows OS versions are
vulnerable.

Microsoft’s initial workaround was to exercise caution when
opening links in e-mails. Since then, Microsoft has also suggested increasing
IE security settings so the system will prompt the user before running Active
Scripting.

The rest of the advisory’s advice is virtually useless:
Microsoft reminds users to keep systems updated with the most recent security
patches—and yet, no patch is available for this threat! The company also
suggests calling Microsoft if you experience an attack.

In addition, I would add the suggestion of only opening
e-mails in plain text rather than HTML. And as always, never open links in e-mails
from unknown senders.

Congress takes on spyware

Spyware is bad enough when you can’t pin down the source—but
consider how much worse things are when you know the source but can’t do
anything about it! The recent Sony
debacle has really brought the dangers of spyware close to home by showing
that even “trusted” vendors may be sticking nasty surprises in their
software.

While there have been several government suits brought
against Sony, there haven’t been as many as one might expect. This small number
illustrates that the U.S legal system just isn’t ready to deal with spyware
threats even when it knows where they come from.

However, the U.S. Congress has stepped in with S.2145:
“A bill to regulate the unauthorized installation of computer software, to
require clear disclosure to computer users of certain computer software
features that may pose a threat to user privacy, and for other purposes.”

Known as the Software Principles Yielding Better Levels of
Consumer Knowledge Act—the SPY BLOCK Act—this legislation is currently making
its way through Congress. While this bill likely won’t stop spyware, it might
reduce the number of multinational companies that decide to intentionally plant
it on users’ systems.

Sober returns

There has been a considerable increase in the number of
significant virus and worm attacks in the past two weeks. After several slow,
quiet months on the virus front, the Sober worm has
returned with a vengeance.

Over the past week, variants have
spread across the world, wreaking havoc in undefended systems. The X
variant has even made Symantec’s threat list,
scoring a 3 out of 5 for its risk rating—the first such threat level I’ve seen
in quite a while.

Other Sober variants—including S, T, V, and W—have scored a 2
rating. Of course, Sober is far from the only threat. The Linux.Plupii.B
threat has also earned a 2 rating, as have a couple of Mytob variants. A word
to the wise: Virus and worm threats aren’t dead—they just took the summer off!

Xbox experiences glitches

Only one day after the release of Microsoft’s Xbox 360,
reports surfaced of problems
with the much-anticipated video game console. Apparently, the many crashes
reported with the Xbox 360 mostly have to do with overheating.

Any additional cooling measures, such as pointing a fan at
it, playing outdoors here in the northern states, or mounting it in such as way
as to maximize heat dissipation, seem to reduce problems to manageable levels.
I’ll bet Microsoft is glad it’s about to release those
300,000 models in Europe!

Final word

In a week when reports abound of serious problems with the
Xbox 360 (serious enough that I’ve dropped plans to buy one for now), Microsoft
didn’t need to remind people that it may be ignoring some very serious known
vulnerabilities in its browser. It’s certainly bad enough that, just as Cyber Monday
(the most intense online shopping day of the year) is upon us, we learn that a
serious threat lurks hidden in most versions of Internet Explorer.

It is far worse to learn that the company knew about the
vulnerability as early as May—and did absolutely nothing about it publicly. Of
course, Redmond likely did nothing about it internally either, or we wouldn’t
be waiting for the company to determine how and when to patch it.

By the way, if you’re planning on getting an Xbox 360 and
have a lot of Xbox software, you might want to check out a backward-compatibility list
posted on GameSpot.com before trashing your old Xbox. On a personal note, I
was disappointed to find Project Gotham
Racing missing from the compatible list. While Microsoft says the list may
increase beyond the current 200-plus titles, I seriously doubt it left off
testing Gotham, so I need to factor
in the cost of a new copy if and when I decide to splurge on an Xbox 360.

Also watch for …

  • United
    Business Media, which owns PR Newswire and CMP, has purchased the Black
    Hat conference    . You know security has become a mainstream concern when
    a big publisher such as CMP buys the rights to an underground hacker
    convention. But does that mean it will become better?
  • Meanwhile,
    as those of you running Linux laugh at the latest IE threats and
    associated Microsoft stumbles, you might want to check out MalwareHelp.org,
    which has republished an article about how big Linux malware threats are
    looming on the near horizon.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security
consultant and well-known author in the field of IT, with more than 17,000
published articles. He has written the IT Locksmith column for TechRepublic for
more than four years.