Microsoft Corp. went outside its normal patch cycle Friday and issued an update for Internet Explorer, fixing security holes already exploited by Download.ject and other malicious code. Users should download the fixes in MS04-025
"MS04-025 is a cumulative update that addresses three publicly-disclosed security vulnerabilities used in attacks such as Download.Ject that could allow a malicious attacker to execute code on a computer user's system," the Microsoft statement said. "The updates in this out-of-cycle release will be included in the Windows XP SP 2 upon its release in August. In addition, underlying architectural changes made to IE in SP 2 mitigate this class of attack."
Symantec Security Response Senior Director Alfred Huger recommended users take Microsoft's advice. "With the widespread use of Microsoft Internet Explorer in both the enterprise and consumer environments, it is critical that security patches be applied immediately," he said in a statement Friday. "Symantec has already seen exploits in the wild taking advantage of at least one of these vulnerabilities."
The security update addresses a remote code execution vulnerability, a buffer overrun vulnerability in the processing of BMP image file formats; and a buffer overrun vulnerability in the processing of GIF image file formats. The flaws affect multiple versions of Internet Explorer. Symantec said if a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system to install programs such as spyware and backdoors, view, change or delete data and create new accounts with full privileges.
The HangUP Team, a for-profit malicious code group from Russia, is believed responsible for Download.ject and for the recent rash of Korgo worms that attacked the LSASS vulnerability Microsoft outlined in Security Bulletin MS04-011. Experts believe the goal of the attack was to deliver malicious code to visitors of an affected Web site that could be used to steal credit card and other information that would then be marketed to organized identity theft markets.
Following the Download.ject attack, the U.S. Computer Emergency Readiness Team (US-CERT) issued a statement recommending users switch from Internet Explorer to alternative browsers.
Microsoft announced a workaround to the vulnerability earlier this month that disables the ADODB.Stream ActiveX control, preventing widely used payload delivery techniques from functioning. The company recommended users make the configuration change immediately through Windows Update, use an Internet firewall on all PCs and laptops; update machines with all the latest security patches through Windows Update; and use up-to-date antivirus software.