Microsoft Corp. will veer outside its once-a-month patching cycle next week with a permanent fix for the security holes in Internet Explorer that were exploited last month during the Download.ject attack.
The patch is in the final stages of testing and will be released "within the week, when it has been found to be an effective and quality fix for all supported versions of IE," a spokesperson for the software giant said Wednesday night. The spokesperson declined to elaborate further.
The HangUP Team, a for-profit malicious code group from Russia, is believed responsible for Download.ject and for the recent rash of Korgo worms that attacked the LSASS vulnerability Microsoft outlined in security bulletin MS04-011. Experts believe the goal of the attack was to deliver malicious code to visitors of an affected Web site that could be used to steal credit card and other information that would then be marketed to organized identity theft markets.
Following the Download.ject attack, the U.S. Computer Emergency Readiness Team (US-CERT) issued a statement recommending users switch from Internet Explorer to alternative browsers.
Microsoft announced a workaround to the vulnerability earlier this month that disables the ADODB.Stream ActiveX control, preventing widely used payload delivery techniques from functioning. The company recommended users make the configuration change immediately through Windows Update; use an Internet firewall on all PCs and laptops; update machines with all the latest security patches through Windows Update; and use up-to-date antivirus software.
Information security experts criticized the software giant's response, saying that while the workaround may successfully block future attacks, it fails to fix the browser's core problem and may actually interfere with programs that have worked fine to date. They added that the company must respond to flaws more quickly than it has in the past.