Microsoft Corp. will veer outside its once-a-month patching cycle next week with a permanent fix for the security holes in Internet Explorer that were exploited last month during the Download.ject attack.
The patch is in the final stages of testing and will be released "within the week, when it has been found to be an effective and quality fix for all supported versions of IE," a spokesperson for the software giant said Wednesday night. The spokesperson declined to elaborate further.
Criticism over Internet Explorer's multiple flaws reached a fever pitch following the Download.ject attack, which targeted users of the popular Web browser and Internet Information Services 5.0 (IIS), both components of Windows. Microsoft has concluded the assault was a targeted manual attack by individuals or entities towards a specific server. It used compromised sites to append JavaScript to the bottom of Web pages. When executed, the JavaScript would access a file hosted on another server believed to contain malicious code that could affect the end user's system.
The HangUP Team, a for-profit malicious code group from Russia, is believed responsible for Download.ject and for the recent rash of Korgo worms that attacked the LSASS vulnerability Microsoft outlined in
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
security bulletin MS04-011. Experts believe the goal of the attack was to deliver malicious code to visitors of an affected Web site that could be used to steal credit card and other information that would then be marketed to organized identity theft markets.
Following the Download.ject attack, the U.S. Computer Emergency Readiness Team (US-CERT) issued a statement recommending users switch from Internet Explorer to alternative browsers.
Microsoft announced a workaround to the vulnerability earlier this month that disables the ADODB.Stream ActiveX control, preventing widely used payload delivery techniques from functioning. The company recommended users make the configuration change immediately through Windows Update; use an Internet firewall on all PCs and laptops; update machines with all the latest security patches through Windows Update; and use up-to-date antivirus software.
Information security experts criticized the software giant's response, saying that while the workaround may successfully block future attacks, it fails to fix the browser's core problem and may actually interfere with programs that have worked fine to date. They added that the company must respond to flaws more quickly than it has in the past.