Hackers jump through holes in Microsoft patch
'Microsoft should be ashamed,' says one security expert
IDG News Service - Security experts are warning Microsoft Corp. customers about silent Internet attacks that exploit a security flaw in the Internet Explorer Web browser that potentially allows remote attackers to run malicious code on vulnerable machines.
The vulnerability is similar in scope to those exploited by devastating worms such as Nimda, Badtrans and Klez, according to one security company. And, to make matters worse, the flaw is one Microsoft said it fixed weeks ago.
The security hole, known as the "Object Data vulnerability," affects Internet Explorer Versions 5.01, 5.5 and 6.0. It affects the way Internet Explorer processes HTML pages containing a special element called the Object Data tag. If properly exploited, the vulnerability could enable an attacker to place a malicious computer program on a user's machine. No user actions would be required aside from opening an e-mail message or visiting a Web page containing the attack.
On Aug. 20, Microsoft released a patch for Internet Explorer, MS03--032, that it said closed the hole and patched other security holes in Internet Explorer.
According to a message posted to a prominent security discussion group Sunday, however, the vulnerability still exists on machines using Internet Explorer even after applying the patch. That message, posted by a person using the name "http-equiv@excite.com," contained sample code that showed that Internet Explorer is still vulnerable to attack using the vulnerability from HTML pages that are created dynamically using computer script, like JavaScript, embedded in Web pages or e-mail messages.
A Microsoft spokesman confirmed that the company is investigating the reports of new exploits for one of the vulnerabilities addressed in the MS03-032 security bulletin. Microsoft still recommends that customers install that patch, he said, adding that the company isn't aware of any customers who have been attacked using the vulnerability.
Security researchers know of at least one exploitation of the Object Data vulnerability that is already circulating on the Internet, according to a statement by Secunia Ltd., a Copenhagen-based security company.
An e-mail message that contains HTML code that exploits the vulnerability is used to silently retrieve and run a file, "drg.exe," that installs a file called "surferbar.dll" onto the victim's computer, according to the Secunia alert. That file adds a new bar to the affected users' Internet Explorer Web browser with links to pornographic Web sites, the company said.
The Object Data vulnerability is similar to an earlier Internet Explorer security hole dating to 2001, MS01-020, that was exploited by virulent e-mail worms such as Nimda and Klez, according to Secunia.
Security experts familiar with the issue say that Microsoft's failure to thoroughly test its patch against attack scenarios using the Object Data vulnerability is a black eye for the company. "Microsoft should be ashamed. This is a major embarrassment," said Richard Smith, an independent security analyst based in Boston.
The problem with the Object Data vulnerability is similar to a hole found in a prior Microsoft patch, according to Israeli security company GreyMagic Software, which issued a report on that problem in February 2002.
That fact points to problems with Microsoft's patch-testing process, Smith said. "They need to go back and look at how this slip-up occurred. They keep saying they can't prevent bugs, but when the same problems keep occurring over and over, that's a management issue."
A Microsoft spokesman said the company is committed to keeping its customers' data safe and will take "appropriate action" to protect customers when its investigation into the new exploits is complete.
In the absence of a patch from Microsoft to fix the problem, security experts recommended disabling support for Active Scripting on affected Internet Explorer versions. Failing that, users should consider uninstalling the popular browser to protect themselves from attack, experts said.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Reducing the Cost and Complexity of Web Vulnerability Management
- Hackers and cybercriminals are constantly refining their attacks and targets; which means you need agile tools to stay ahead of them.
Download this... - Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will... All Malware and Vulnerabilities White Papers
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
- Virtualize Business-Critical Applications with Confidence
- Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®... All Malware and Vulnerabilities Webcasts