Microsoft fixes Internet Explorer flaws

The fix addresses Internet Explorer security holes exploited by Download.ject and other malicious code.

Microsoft Corp. went outside its normal patch cycle Friday and issued an update for Internet Explorer, fixing security holes already exploited by Download.ject and other malicious code. Users should download the fixes in MS04-025 immediately, the software giant said in a statement.

"MS04-025 is a cumulative update that addresses three publicly-disclosed security vulnerabilities used in attacks such as Download.Ject that could allow a malicious attacker to execute code on a computer user's system," the Microsoft statement said. "The updates in this out-of-cycle release will be included in the Windows XP SP 2 upon its release in August. In addition, underlying architectural changes made to IE in SP 2 mitigate this class of attack."

Symantec Security Response Senior Director Alfred Huger recommended users take Microsoft's advice. "With the widespread use of Microsoft Internet Explorer in both the enterprise and consumer environments, it is critical that security patches be applied immediately," he said in a statement Friday. "Symantec has already seen exploits in the wild taking advantage of at least one of these vulnerabilities."

Related News
More on this out-of-cycle patch

The security update addresses a remote code execution vulnerability, a buffer overrun vulnerability in the processing of BMP image file formats; and a buffer overrun vulnerability in the processing of GIF image file formats. The flaws affect multiple versions of Internet Explorer. Symantec said if a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system to install programs such as spyware and backdoors, view, change or delete data and create new accounts with full privileges.

Criticism over Internet Explorer's security holes reached a fever pitch after June's Download.ject attack, which targeted users of the browser and Internet Information Services 5.0 (IIS), both components of Windows. Microsoft concluded the assault was a targeted manual attack by individuals or entities towards a specific server. It used compromised sites to append JavaScript to the bottom of Web pages. When executed, the JavaScript would access a file hosted on another server believed to contain malicious code that could affect the end user's system.

The HangUP Team, a for-profit malicious code group from Russia, is believed responsible for Download.ject and for the recent rash of Korgo worms that attacked the LSASS vulnerability Microsoft outlined in Security Bulletin MS04-011. Experts believe the goal of the attack was to deliver malicious code to visitors of an affected Web site that could be used to steal credit card and other information that would then be marketed to organized identity theft markets.

Following the Download.ject attack, the U.S. Computer Emergency Readiness Team (US-CERT) issued a statement recommending users switch from Internet Explorer to alternative browsers.

Microsoft announced a workaround to the vulnerability earlier this month that disables the ADODB.Stream ActiveX control, preventing widely used payload delivery techniques from functioning. The company recommended users make the configuration change immediately through Windows Update, use an Internet firewall on all PCs and laptops; update machines with all the latest security patches through Windows Update; and use up-to-date antivirus software.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close