Microsoft's workaround to address security holes in Internet Explorer may successfully block future attacks. But it fails to fix the browser's core problem and may actually interfere with programs that have worked fine to date, some information security experts said yesterday. They added that the company must respond to flaws more quickly than it has in the past.
A spokesperson for the software giant said critics must keep in mind that the configuration change announced Friday for Windows XP, Windows Server 2003 and Windows 2000 is not a permanent fix. Rather, it's a temporary measure to stave off attacks until Microsoft releases more comprehensive security updates in the next few weeks.
Microsoft announced the workaround in response to the Download.Ject attack that targeted security holes in IIS 5.0 and Internet Explorer less than two weeks ago. The workaround disables the ADODB.Stream ActiveX control, preventing widely used payload delivery techniques from functioning. The company recommends users make the configuration change immediately through Windows Update.
Thor Larholm, senior security researcher with PivX Solutions of Newport Beach, Calif., said that while the workaround can help prevent exploits and is similar to what other security firms have been suggesting for months, it's not an ideal solution because "the problem here is not the ADODB.Stream or Shell.Application objects. The problem is the insecure My Computer zone in Internet Explorer. ActiveX objects are used in many hosts of which IE is just one."
Larholm added that Microsoft's Band-aid approach is a recipe for more trouble in the future. "I am sure that tomorrow, next week and next month we will find even more ways to exploit insecure zone privileges in IE," he said. "You can either try to fix the root cause once or you can try to treat each new symptom as it is discovered. All software is inherently insecure. The difference is in how you treat that insecurity."
Drew Copley, a research engineer for Aliso Viejo, Calif.-based eEye Digital Security, agreed, and said he can't understand why it has taken Microsoft so long to fix Internet Explorer.
"The real problem I see with Microsoft is their failure to communicate and especially their failure to fix these security holes in any kind of timely manner," Copley said via e-mail. "In the case of these bugs, they have gone almost a year without fixing them. This bug was a major bar-lowerer. It made it easy to run executable code. We said this over and over again. I think they still would not have fixed it if a number of people with some voice hadn't made an issue over it."
Responding to those criticisms yesterday afternoon, a Microsoft spokesperson stressed that the configuration change is designed to protect against immediate threats, and that more security updates to Internet Explorer are coming in the next few weeks, including the release of Windows XP Service Pack 2, which will include "the most up-to-date network, Web browsing and e-mail features designed to help protect against malicious attacks and reduce unwanted content and downloads."
David Kennedy, director of research services for Reston, Va.-based security firm TruSecure, said Service Pack 2 may be a superior program, but many businesses have already committed themselves to Windows 2000 and it's not financially or logistically feasible for most to adopt Service Pack 2. "Windows 2000 is supposed to be a supported program," he said. "Where's that support?"
In response, the Microsoft spokesperson referred to Friday's company statement that a "comprehensive update for all supported versions of Internet Explorer will be released once it has been thoroughly tested and found to be effective across a wide variety of supported versions and configurations" of the browser.