patch flaw


  #1  
Old 07-23-04, 07:03 AM
P
Member
Thread Starter
Join Date: Jul 2001
Location: MD
Posts: 2,192
Received 6 Upvotes on 6 Posts
patch flaw

Hello 07/23/04
Does anyone know about this? Is there a patch to fix it yet?


Microsoft Patch Leaves Holes Open

Dangerous vulnerability still exists in IE, security expert warns.

Wilbert de Vries and Paul Roberts, WebWereld Netherlands


Microsoft's effort last week to fix a vulnerability in the Internet Explorer Web browser and end the latest series of Internet attacks doesn't address another closely related and dangerous vulnerability, according to a security specialist.
Dutch security expert Jelmer Kuperus published code on the Web last week that he says can be used to break into fully patched Windows systems using a slightly modified version of an attack called Download.Ject that Microsoft patched last week. The new attack targets a hole in a different Windows component than the one addressed by Microsoft's software patch. Using a similar attack, malicious hackers could break into even patched Windows machines, Kuperus says.

Microsoft confirms that the company is aware of the exploit code, but does not believe any customers have been attacked using the Shell.Application exploit, a spokesperson says.

Update Available
Microsoft last week introduced a security update for Internet Explorer 6.0 to end the threat of Download.Ject. The update disables a Windows component called ADODB.Stream, which was allegedly being used by a Russian criminal gang called the Hangup Team to install malicious code on computers.

By attacking a different Windows ActiveX component called Shell.Application, hackers can load malicious code onto machines.

The attack relies on a vulnerability in Shell.Application discovered and disclosed in January by a security expert known by the online handle "http-equiv," Kuperus says.

To prove his point, Kuperus posted a copy of attack code that targets the Shell.Application component on a Web site he maintains. Web surfers that use Windows XP with IE and visit the page are confronted with a screen that freezes Windows. According to Kuperus this example is harmless, but the exploit could be used in the same way the group of Russian criminals exploited the ADODB.Stream vulnerability in a series of attacks in June.

Those attacks combined compromises unpatched Microsoft Internet Information Services (IIS) Web servers with attacks using two vulnerabilities in Windows and Internet Explorer. Web surfers visiting compromised Web sites had malicious code secretly downloaded to run on their systems. When run, the code redirected Web browsers to Web sites controlled by the hackers, from which personal data was downloaded and a Trojan horse program captured keystrokes.

Working Together
Kuperus joined the expert known as http-equiv to create computer code that demonstrated the Shell.Application vulnerability. After the attacks in June, the two anticipated the patch issued by Microsoft would not be comprehensive and began writing a new exploit before Microsoft actually plugged the ADODB.Stream vulnerability.

A few hours after Microsoft issued its update last week, Kuperus posted the new exploit on his site.

"We discovered that by simply switching components, the exploit is back in business," Kuperus says.

Microsoft acknowledges that the Shell.Application has similar capabilities to the ADODB.Stream component. However, it does not yet have configuration changes to address the vulnerability, as it did with ADODB.Stream, a spokesperson says.

The Redmond, Washington software company is investigating the issue and is planning a series of updates to IE in the coming weeks that will provide additional security for its customers, she says.

Thank you
Pete
 
  #2  
Old 07-23-04, 08:10 AM
las
Visiting Guest
Posts: n/a
have you got SP2

Did you download SP2?What are you talking about?
 
  #3  
Old 07-23-04, 09:42 AM
P
Member
Thread Starter
Join Date: Jul 2001
Location: MD
Posts: 2,192
Received 6 Upvotes on 6 Posts
patch flaw

I was simply posting an article I had read this AM.
I have not yet installed sp2.
I thought someone might want to share some opinon re: this article which, as I read it, means Microsoft's latest effort to ensure security has once again been violated.
I was wondering if you install sp2 if this vulnerability will be on it and require another patch.
 
  #4  
Old 07-24-04, 03:14 PM
las
Visiting Guest
Posts: n/a
Time will tell

Well only time will tell,I think windows xp Is going to be around for
a long time afterwards even thou microsoft says It will discontine
support for windows xp sometime In 2007...long ways off and yet just around the corner.I know has far as my computer goes that has long has It keeps running and working with windows xp I won't buy anything differant
 
  #5  
Old 07-25-04, 06:49 AM
C
Member
Join Date: Nov 2001
Location: Taylors, SC
Posts: 9,261
Upvotes: 0
Received 0 Upvotes on 0 Posts
I thought someone might want to share some opinon re: this article which, as I read it, means Microsoft's latest effort to ensure security has once again been violated.
If the code were rewritten from the ground up instead of being a continual patch, this might be repaired. There are options for secure browsers out there.
 
 

Thread Tools
Search this Thread
 
Ask a Question
Question Title:
Description:
Your question will be posted in: