Microsoft exposes serious IE vulnerability

• Tags:
• Security,
• Hole,
• Flaw

John McCormick

Published: 29 Nov 2005 17:45 GMT

• 
• 
• 
• 
• 

Redmond is finally addressing a not-so-new vulnerability in Internet Explorer, but a patch is still on the drawing board. Meanwhile, Sony's recent spyware incident has spurred the US Congress to get involved, and the Sober worm looks to come home for the holidays.

Microsoft admits major IE hole
Redmond has released Microsoft Security Advisory 911302, which reveals that the company is investigating reports of a serious vulnerability in Internet Explorer. Furthermore, the software giant has disclosed that it has known about the security hole for more than six months. (Reports of the vulnerability first surfaced in May 2005.)

Apparently, because the problem was originally a "stability issue", Microsoft didn't consider it serious enough to patch. However, Redmond has now upgraded the problem to a remote code execution threat — a disclosure that came only after exploit code, as well as reports of attacks, surfaced online.

The issue at hand is a critical threat triggered by the inability to handle mismatched Document Object Model Objects. With the exception of Windows Server 2003 and Windows Server 2003 Service Pack 1 (with Enhanced Security Configuration activated), all other Windows OS versions are vulnerable.

Microsoft's initial workaround was to exercise caution when opening links in emails. Since then, Microsoft has also suggested increasing IE security settings so the system will prompt the user before running Active Scripting.

The rest of the advisory's advice is virtually useless: Microsoft reminds users to keep systems updated with the most recent security patches — and yet, no patch is available for this threat. The company also suggests calling Microsoft if you experience an attack.

In addition, I would add the suggestion of only opening emails in plain text rather than HTML — and, as always, never open links in emails from unknown senders.

Congress takes on spyware
Spyware is bad enough when you can't pin down the source — but consider how much worse things are when you know the source but can't do anything about it. The recent Sony debacle has really brought the dangers of spyware close to home by showing that even "trusted" vendors may be sticking nasty surprises in their software.

While there have been several government suits brought against Sony, there haven't been as many as one might expect. This small number illustrates that the US legal system just isn't ready to deal with spyware threats even when it knows where they come from.

However, the US Congress has stepped in with S.2145: "A bill to regulate the...

For more, click here... 

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed