PC Review


Reply
Thread Tools Rating: Thread Rating: 1 votes, 5.00 average.

Serious security flaw found in IE

 
 
Stu
Guest
Posts: n/a
 
      19th Dec 2008
Robinb. Very nice lady. I don`t see it now but you have/had a signature which
makes a reference to being a `Hostage` to your computer. May I suggest
`Slave` would be a better word. Hostage seems rather radical - if you know
what I mean ! Tell me to `mind my own business ` (or butt out if you will!!)
- I have broad shoulders.

Stu

"robinb" wrote:

> so where is this patch? I have not gotten it yet
> robin
>
> "Bill Sanderson" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Folks using these work-arounds should be aware that at least one of them
> > will break Outlook Web Access, which may be of significance to anyone in
> > an office using Small Business Server, or in larger networks using
> > Exchange and Outlook as well.
> >
> > I recommend reversing these work-arounds prior to applying todays
> > patch--but I haven't yet read what Microsoft's advice is about this.
> >
> >
> > "mae" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >>I applied the work arounds recommended in the advisory.
> >> Should work until:
> >> http://blogs.technet.com/msrc/archiv...d-release.aspx
> >> Microsoft Security Bulletin Advance Notification for December 2008
> >> This is an advance notification of an out-of-band security bulletin that
> >> Microsoft is intending to release on December 17, 2008.
> >> Source: http://www.microsoft.com/technet/sec.../ms08-dec.mspx
> >>
> >> You should subscribe to a security feed or alert from Microsoft,
> >> then you won't have to wait for someone to else to publish it.
> >> I get this feed http://blogs.technet.com/msrc/default.aspx
> >>
> >> mae
> >>
> >> "Alan" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> | Here is the official notification from Microsoft which was first
> >> published
> >> | on December 10, 2008 and updated on December 15:
> >> | http://www.microsoft.com/technet/sec...ry/961051.mspx
> >> |
> >> | Alan
> >> |
> >> | "Alan" <(E-Mail Removed)> wrote in message
> >> | news:(E-Mail Removed)...
> >> | > Here's a News Article carried today by the BBC at
> >> | > http://news.bbc.co.uk/2/hi/technology/7784908.stm
> >> | >
> >> | > Serious security flaw found in IE
> >> | >
> >> | > Users of Microsoft's Internet Explorer are being urged by experts to
> >> | > switch to a rival until a serious security flaw has been fixed.
> >> | >
> >> | > The flaw in Microsoft's Internet Explorer could allow criminals to
> >> take
> >> | > control of people's computers and steal their passwords, internet
> >> experts
> >> | > say.
> >> | >
> >> | > Microsoft urged people to be vigilant while it investigated and
> >> prepared
> >> | > an emergency patch to resolve it.
> >> | >
> >> | > Internet Explorer is used by the vast majority of the world's
> >> computer
> >> | > users.
> >> | >
> >> | >
> >> | > "Microsoft is continuing its investigation of public reports of
> >> attacks
> >> | > against a new vulnerability in Internet Explorer," said the firm in a
> >> | > security advisory alert about the flaw.
> >> | >
> >> | > Microsoft says it has detected attacks against IE 7.0 but said the
> >> | > "underlying vulnerability" was present in all versions of the
> >> browser.
> >> | >
> >> | > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
> >> vulnerable
> >> | > to the flaw Microsoft has identified.
> >> | >
> >> | > Browser bait
> >> | >
> >> | > "In this case, hackers found the hole before Microsoft did," said
> >> Rick
> >> | > Ferguson, senior security advisor at Trend Micro. "This is never a
> >> good
> >> | > thing."
> >> | >
> >> | > As many as 10,000 websites have been compromised since the
> >> vulnerability
> >> | > was discovered, he said.
> >> | >
> >> | > "What we've seen from the exploit so far is it stealing game
> >> passwords,
> >> | > but it's inevitable that it will be adapted by criminals," he said.
> >> "It's
> >> | > just a question of modifying the payload the trojan installs."
> >> | >
> >> | >
> >> | > Said Mr Ferguson: "If users can find an alternative browser, then
> >> that's
> >> | > good mitigation against the threat."
> >> | >
> >> | > But Microsoft counselled against taking such action.
> >> | >
> >> | > "I cannot recommend people switch due to this one flaw," said John
> >> Curran,
> >> | > head of Microsoft UK's Windows group.
> >> | >
> >> | > He added: "We're trying to get this resolved as soon as possible.
> >> | >
> >> | > "At present, this exploit only seems to affect 0.02% of internet
> >> sites,"
> >> | > said Mr Curran. "In terms of vulnerability, it only seems to be
> >> affecting
> >> | > IE7 users at the moment, but could well encompass other versions in
> >> time."
> >> | >
> >> | > Richard Cox, chief information officer of anti-spam body The Spamhaus
> >> | > Project and an expert on privacy and cyber security, echoed Trend
> >> Micro's
> >> | > warning.
> >> | >
> >> | > "It won't be long before someone reverse engineers this exploit for
> >> more
> >> | > fraudulent purposes. Trend Mico's advice [of switching to an
> >> alternative
> >> | > web browser] is very sensible," he said.
> >> | >
> >> | > PC Pro magazine's security editor, Darien Graham-Smith, said that
> >> there
> >> | > was a virtual arms race going on, with hackers always on the look out
> >> for
> >> | > new vulnerabilities.
> >> | >
> >> | > "The message needs to get out that this malicious code can be planted
> >> on
> >> | > any web site, so simple careful browsing isn't enough."
> >> | >
> >> | > "It's a shame Microsoft have not been able to fix this more quickly,
> >> but
> >> | > letting people know about this flaw was the right thing to do. If you
> >> keep
> >> | > flaws like this quiet, people are put at risk without knowing it."
> >> | >
> >> | > "Every browser is susceptible to vulnerabilities from time to time.
> >> It's
> >> | > fine to say 'don't use Internet Explorer' for now, but other browsers
> >> may
> >> | > well find themselves in a similar situation," he added.
> >> | >
> >> | >
> >> | >
> >> |
> >> |
> >>

> >

>

 
Reply With Quote
 
 
 
 
Bill Sanderson
Guest
Posts: n/a
 
      19th Dec 2008
I suppose it may take a few incidents to teach an organization that the cute
web site that they can put out there for next to nothing, all done by those
amazing techies with whom we can barely communicate is in fact a major risk
of substantial embarassment or worse when things go wrong. I suspect the
vast majority of sites out there depend on contractors for the vast majority
of the technical knowledge involved--and those contractors may well have
neither the specific guidance (they aren't getting paid to watch the
changing security landscape and improve their design as needed), nor the
sense of ownership (their name isn't on the site)--that might help.

In fact, my day to day work often involves hours of keystrokes merging lists
for mailings, and every aspect of computer use from building them to
describing how to use the out of office features in Outlook. Most jobs
involve more breadth of knowledge than a given occupant may have when he
starts it--and in technical jobs--that breadth may be growing faster than
the job occupant has time to learn!

That's how I ended up in newsgroups in the first place--looking for
technical answers that weren't in the manual, and I didn't know.


--

"Stu" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> So that is where it could all fall down? That begs the question of staff
> training which will invoke awareness - not to mention education. Its all
> very
> well guys `like yourself ` taking a professional approach to Internet
> Security` but if the training of admins and floor level staff is not
> evident
> in that particular organisation? Time to wonder. Are there situations when
> you feel like you are walking uphill with a 60lb back pack?
>
> Stu
>
> "Bill Sanderson" wrote:
>
>> They do indeed. Although it is appropriate to blame the folks who hack
>> legitimate sites and install malware, clearly the admins of those
>> legitimate
>> sites have not been doing all they could have.
>>
>> (and so I say, as an admin of half a dozen such sites. It's a balancing
>> act--I know very little about web authoring, MySQL, or the various
>> packages
>> that various developers have used over time to develop the sites I have
>> overall charge of. I try to stay on top of security issues, and I do
>> discuss the specific issue of SQL injection attacks with our developers
>> just
>> to see how they respond. This stuff is not cut and dried--there isn't
>> any
>> simple testing tool that can tell you whether or not your site is safe,
>> as
>> far as I can tell--it is a question of the skills of your staff. )
>>
>>
>> "Stu" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Let us not forget the `good` web site devlopers have a certain
>> > responsibility
>> > here.
>> >
>> > Stu
>> >
>> > "Bill Sanderson" wrote:
>> >
>> >> I managed to not broadcast this issue to the users I support--but
>> >> several
>> >> people either asked about it or sent me information about the issue to
>> >> make
>> >> sure I knew about it.
>> >>
>> >> I wasn't yet ready to put into effect the work-arounds Microsoft has
>> >> supplied, given my understanding of the extent of the risk--and I see
>> >> no
>> >> point in creating fear and doubt without a clear set of actions to
>> >> prescribe.
>> >>
>> >> I did write everyone this morning asking that they apply today's patch
>> >> as
>> >> soon as it is convenient for them, and I'll be doing that manually on
>> >> systems I can reach when it is available.
>> >>
>> >> This was a close call--the code to exploit the vulnerability was
>> >> publicly
>> >> available since December 10th--meaning that anyone could pick it up
>> >> and
>> >> make
>> >> use of it. Fortunately, it required that you visit a web site to be
>> >> infected--it isn't something that can directly infect from an email
>> >> message.
>> >>
>> >> There were some innocent sites that were hacked to distribute this
>> >> malicious
>> >> code--which is a good part of where the real risk lies for users who
>> >> don't
>> >> frequent porn sites.
>> >>
>> >> I doubt that my users were making use of the features of Internet
>> >> Explorer
>> >> that would be disabled by the simpler work-arounds for this exploit,
>> >> but
>> >> I'm
>> >> not certain of that, and did't want to have to fix this twice--once
>> >> via a
>> >> work-around and then need to reverse that and install the final patch.
>> >>
>> >> I'm glad they were able to produce a patch quickly.
>> >>
>> >> --
>> >>
>> >> "Stu" <(E-Mail Removed)> wrote in message
>> >> news:(E-Mail Removed)...
>> >> > Panic over Bill? You know, maybe I`m too laid back with these
>> >> > security
>> >> > issues. I can never understand why there is this tendency for a
>> >> > `knee
>> >> > jerk`
>> >> > reaction with associated buzz on these NGs - like bees which have
>> >> > just
>> >> > been
>> >> > awoken from their hives. Everything buzzing around (deliberating and
>> >> > speculating) while someone works quietly in the background resolving
>> >> > the
>> >> > issue. Perhaps there are times when ignorance is bliss ;)
>> >> >
>> >> > Stu
>> >> >
>> >> > "Bill Sanderson" wrote:
>> >> >
>> >> >> A patch for this will be issued tomorrow, as others in this thead
>> >> >> have
>> >> >> noted
>> >> >> (oops--today!)
>> >> >>
>> >> >> I'd advise installing this patch.
>> >> >>
>> >> >> That's what I plan to do.
>> >> >>
>> >> >> --
>> >> >>
>> >> >> "Alan" <(E-Mail Removed)> wrote in message
>> >> >> news:(E-Mail Removed)...
>> >> >> > Here's a News Article carried today by the BBC at
>> >> >> > http://news.bbc.co.uk/2/hi/technology/7784908.stm
>> >> >> >
>> >> >> > Serious security flaw found in IE
>> >> >> >
>> >> >> > Users of Microsoft's Internet Explorer are being urged by experts
>> >> >> > to
>> >> >> > switch to a rival until a serious security flaw has been fixed.
>> >> >> >
>> >> >> > The flaw in Microsoft's Internet Explorer could allow criminals
>> >> >> > to
>> >> >> > take
>> >> >> > control of people's computers and steal their passwords, internet
>> >> >> > experts
>> >> >> > say.
>> >> >> >
>> >> >> > Microsoft urged people to be vigilant while it investigated and
>> >> >> > prepared
>> >> >> > an emergency patch to resolve it.
>> >> >> >
>> >> >> > Internet Explorer is used by the vast majority of the world's
>> >> >> > computer
>> >> >> > users.
>> >> >> >
>> >> >> >
>> >> >> > "Microsoft is continuing its investigation of public reports of
>> >> >> > attacks
>> >> >> > against a new vulnerability in Internet Explorer," said the firm
>> >> >> > in
>> >> >> > a
>> >> >> > security advisory alert about the flaw.
>> >> >> >
>> >> >> > Microsoft says it has detected attacks against IE 7.0 but said
>> >> >> > the
>> >> >> > "underlying vulnerability" was present in all versions of the
>> >> >> > browser.
>> >> >> >
>> >> >> > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
>> >> >> > vulnerable
>> >> >> > to the flaw Microsoft has identified.
>> >> >> >
>> >> >> > Browser bait
>> >> >> >
>> >> >> > "In this case, hackers found the hole before Microsoft did," said
>> >> >> > Rick
>> >> >> > Ferguson, senior security advisor at Trend Micro. "This is never
>> >> >> > a
>> >> >> > good
>> >> >> > thing."
>> >> >> >
>> >> >> > As many as 10,000 websites have been compromised since the
>> >> >> > vulnerability
>> >> >> > was discovered, he said.
>> >> >> >
>> >> >> > "What we've seen from the exploit so far is it stealing game
>> >> >> > passwords,
>> >> >> > but it's inevitable that it will be adapted by criminals," he
>> >> >> > said.
>> >> >> > "It's
>> >> >> > just a question of modifying the payload the trojan installs."
>> >> >> >
>> >> >> >
>> >> >> > Said Mr Ferguson: "If users can find an alternative browser, then
>> >> >> > that's
>> >> >> > good mitigation against the threat."
>> >> >> >
>> >> >> > But Microsoft counselled against taking such action.
>> >> >> >
>> >> >> > "I cannot recommend people switch due to this one flaw," said
>> >> >> > John
>> >> >> > Curran,
>> >> >> > head of Microsoft UK's Windows group.
>> >> >> >
>> >> >> > He added: "We're trying to get this resolved as soon as possible.
>> >> >> >
>> >> >> > "At present, this exploit only seems to affect 0.02% of internet
>> >> >> > sites,"
>> >> >> > said Mr Curran. "In terms of vulnerability, it only seems to be
>> >> >> > affecting
>> >> >> > IE7 users at the moment, but could well encompass other versions
>> >> >> > in
>> >> >> > time."
>> >> >> >
>> >> >> > Richard Cox, chief information officer of anti-spam body The
>> >> >> > Spamhaus
>> >> >> > Project and an expert on privacy and cyber security, echoed Trend
>> >> >> > Micro's
>> >> >> > warning.
>> >> >> >
>> >> >> > "It won't be long before someone reverse engineers this exploit
>> >> >> > for
>> >> >> > more
>> >> >> > fraudulent purposes. Trend Mico's advice [of switching to an
>> >> >> > alternative
>> >> >> > web browser] is very sensible," he said.
>> >> >> >
>> >> >> > PC Pro magazine's security editor, Darien Graham-Smith, said that
>> >> >> > there
>> >> >> > was a virtual arms race going on, with hackers always on the look
>> >> >> > out
>> >> >> > for
>> >> >> > new vulnerabilities.
>> >> >> >
>> >> >> > "The message needs to get out that this malicious code can be
>> >> >> > planted
>> >> >> > on
>> >> >> > any web site, so simple careful browsing isn't enough."
>> >> >> >
>> >> >> > "It's a shame Microsoft have not been able to fix this more
>> >> >> > quickly,
>> >> >> > but
>> >> >> > letting people know about this flaw was the right thing to do. If
>> >> >> > you
>> >> >> > keep
>> >> >> > flaws like this quiet, people are put at risk without knowing
>> >> >> > it."
>> >> >> >
>> >> >> > "Every browser is susceptible to vulnerabilities from time to
>> >> >> > time.
>> >> >> > It's
>> >> >> > fine to say 'don't use Internet Explorer' for now, but other
>> >> >> > browsers
>> >> >> > may
>> >> >> > well find themselves in a similar situation," he added.
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >>
>> >>

>>
>>


 
Reply With Quote
 
 
 
 
Stu
Guest
Posts: n/a
 
      19th Dec 2008

.............. "Most jobs involve more breadth of knowledge than a given
occupant may have when he starts it--and in technical jobs--that breadth may
be growing faster than the job occupant has time to learn!"

Isn`t that a fact! It must be so difficult to keep up let alone abreast of
things. At least for me its nothing more than a hobby or interest, not a
necessity born of a profession. I often feel in the world of IT todays news
is almost history before it starts out if that makes sense. Things are moving
so fast or perhaps I`m getting slower to cromprehend. As for the Newsgroups.
I have found them to be a tremendous source of information and guidance.
Definately one of the better things MS has done in my books.

Stu


> I suppose it may take a few incidents to teach an organization that the cute
> web site that they can put out there for next to nothing, all done by those
> amazing techies with whom we can barely communicate is in fact a major risk
> of substantial embarassment or worse when things go wrong. I suspect the
> vast majority of sites out there depend on contractors for the vast majority
> of the technical knowledge involved--and those contractors may well have
> neither the specific guidance (they aren't getting paid to watch the
> changing security landscape and improve their design as needed), nor the
> sense of ownership (their name isn't on the site)--that might help.
>
> In fact, my day to day work often involves hours of keystrokes merging lists
> for mailings, and every aspect of computer use from building them to
> describing how to use the out of office features in Outlook. Most jobs
> involve more breadth of knowledge than a given occupant may have when he
> starts it--and in technical jobs--that breadth may be growing faster than
> the job occupant has time to learn!
>
> That's how I ended up in newsgroups in the first place--looking for
> technical answers that weren't in the manual, and I didn't know.
>
>
> --
>
> "Stu" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > So that is where it could all fall down? That begs the question of staff
> > training which will invoke awareness - not to mention education. Its all
> > very
> > well guys `like yourself ` taking a professional approach to Internet
> > Security` but if the training of admins and floor level staff is not
> > evident
> > in that particular organisation? Time to wonder. Are there situations when
> > you feel like you are walking uphill with a 60lb back pack?
> >
> > Stu
> >
> > "Bill Sanderson" wrote:
> >
> >> They do indeed. Although it is appropriate to blame the folks who hack
> >> legitimate sites and install malware, clearly the admins of those
> >> legitimate
> >> sites have not been doing all they could have.
> >>
> >> (and so I say, as an admin of half a dozen such sites. It's a balancing
> >> act--I know very little about web authoring, MySQL, or the various
> >> packages
> >> that various developers have used over time to develop the sites I have
> >> overall charge of. I try to stay on top of security issues, and I do
> >> discuss the specific issue of SQL injection attacks with our developers
> >> just
> >> to see how they respond. This stuff is not cut and dried--there isn't
> >> any
> >> simple testing tool that can tell you whether or not your site is safe,
> >> as
> >> far as I can tell--it is a question of the skills of your staff. )
> >>
> >>
> >> "Stu" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > Let us not forget the `good` web site devlopers have a certain
> >> > responsibility
> >> > here.
> >> >
> >> > Stu
> >> >
> >> > "Bill Sanderson" wrote:
> >> >
> >> >> I managed to not broadcast this issue to the users I support--but
> >> >> several
> >> >> people either asked about it or sent me information about the issue to
> >> >> make
> >> >> sure I knew about it.
> >> >>
> >> >> I wasn't yet ready to put into effect the work-arounds Microsoft has
> >> >> supplied, given my understanding of the extent of the risk--and I see
> >> >> no
> >> >> point in creating fear and doubt without a clear set of actions to
> >> >> prescribe.
> >> >>
> >> >> I did write everyone this morning asking that they apply today's patch
> >> >> as
> >> >> soon as it is convenient for them, and I'll be doing that manually on
> >> >> systems I can reach when it is available.
> >> >>
> >> >> This was a close call--the code to exploit the vulnerability was
> >> >> publicly
> >> >> available since December 10th--meaning that anyone could pick it up
> >> >> and
> >> >> make
> >> >> use of it. Fortunately, it required that you visit a web site to be
> >> >> infected--it isn't something that can directly infect from an email
> >> >> message.
> >> >>
> >> >> There were some innocent sites that were hacked to distribute this
> >> >> malicious
> >> >> code--which is a good part of where the real risk lies for users who
> >> >> don't
> >> >> frequent porn sites.
> >> >>
> >> >> I doubt that my users were making use of the features of Internet
> >> >> Explorer
> >> >> that would be disabled by the simpler work-arounds for this exploit,
> >> >> but
> >> >> I'm
> >> >> not certain of that, and did't want to have to fix this twice--once
> >> >> via a
> >> >> work-around and then need to reverse that and install the final patch.
> >> >>
> >> >> I'm glad they were able to produce a patch quickly.
> >> >>
> >> >> --
> >> >>
> >> >> "Stu" <(E-Mail Removed)> wrote in message
> >> >> news:(E-Mail Removed)...
> >> >> > Panic over Bill? You know, maybe I`m too laid back with these
> >> >> > security
> >> >> > issues. I can never understand why there is this tendency for a
> >> >> > `knee
> >> >> > jerk`
> >> >> > reaction with associated buzz on these NGs - like bees which have
> >> >> > just
> >> >> > been
> >> >> > awoken from their hives. Everything buzzing around (deliberating and
> >> >> > speculating) while someone works quietly in the background resolving
> >> >> > the
> >> >> > issue. Perhaps there are times when ignorance is bliss ;)
> >> >> >
> >> >> > Stu
> >> >> >
> >> >> > "Bill Sanderson" wrote:
> >> >> >
> >> >> >> A patch for this will be issued tomorrow, as others in this thead
> >> >> >> have
> >> >> >> noted
> >> >> >> (oops--today!)
> >> >> >>
> >> >> >> I'd advise installing this patch.
> >> >> >>
> >> >> >> That's what I plan to do.
> >> >> >>
> >> >> >> --
> >> >> >>
> >> >> >> "Alan" <(E-Mail Removed)> wrote in message
> >> >> >> news:(E-Mail Removed)...
> >> >> >> > Here's a News Article carried today by the BBC at
> >> >> >> > http://news.bbc.co.uk/2/hi/technology/7784908.stm
> >> >> >> >
> >> >> >> > Serious security flaw found in IE
> >> >> >> >
> >> >> >> > Users of Microsoft's Internet Explorer are being urged by experts
> >> >> >> > to
> >> >> >> > switch to a rival until a serious security flaw has been fixed.
> >> >> >> >
> >> >> >> > The flaw in Microsoft's Internet Explorer could allow criminals
> >> >> >> > to
> >> >> >> > take
> >> >> >> > control of people's computers and steal their passwords, internet
> >> >> >> > experts
> >> >> >> > say.
> >> >> >> >
> >> >> >> > Microsoft urged people to be vigilant while it investigated and
> >> >> >> > prepared
> >> >> >> > an emergency patch to resolve it.
> >> >> >> >
> >> >> >> > Internet Explorer is used by the vast majority of the world's
> >> >> >> > computer
> >> >> >> > users.
> >> >> >> >
> >> >> >> >
> >> >> >> > "Microsoft is continuing its investigation of public reports of
> >> >> >> > attacks
> >> >> >> > against a new vulnerability in Internet Explorer," said the firm
> >> >> >> > in
> >> >> >> > a
> >> >> >> > security advisory alert about the flaw.
> >> >> >> >
> >> >> >> > Microsoft says it has detected attacks against IE 7.0 but said
> >> >> >> > the
> >> >> >> > "underlying vulnerability" was present in all versions of the
> >> >> >> > browser.
> >> >> >> >
> >> >> >> > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
> >> >> >> > vulnerable
> >> >> >> > to the flaw Microsoft has identified.
> >> >> >> >
> >> >> >> > Browser bait
> >> >> >> >
> >> >> >> > "In this case, hackers found the hole before Microsoft did," said
> >> >> >> > Rick
> >> >> >> > Ferguson, senior security advisor at Trend Micro. "This is never
> >> >> >> > a
> >> >> >> > good
> >> >> >> > thing."
> >> >> >> >
> >> >> >> > As many as 10,000 websites have been compromised since the
> >> >> >> > vulnerability
> >> >> >> > was discovered, he said.
> >> >> >> >
> >> >> >> > "What we've seen from the exploit so far is it stealing game
> >> >> >> > passwords,
> >> >> >> > but it's inevitable that it will be adapted by criminals," he
> >> >> >> > said.
> >> >> >> > "It's
> >> >> >> > just a question of modifying the payload the trojan installs."
> >> >> >> >
> >> >> >> >
> >> >> >> > Said Mr Ferguson: "If users can find an alternative browser, then
> >> >> >> > that's
> >> >> >> > good mitigation against the threat."
> >> >> >> >
> >> >> >> > But Microsoft counselled against taking such action.
> >> >> >> >
> >> >> >> > "I cannot recommend people switch due to this one flaw," said
> >> >> >> > John
> >> >> >> > Curran,
> >> >> >> > head of Microsoft UK's Windows group.
> >> >> >> >
> >> >> >> > He added: "We're trying to get this resolved as soon as possible.
> >> >> >> >
> >> >> >> > "At present, this exploit only seems to affect 0.02% of internet
> >> >> >> > sites,"
> >> >> >> > said Mr Curran. "In terms of vulnerability, it only seems to be
> >> >> >> > affecting
> >> >> >> > IE7 users at the moment, but could well encompass other versions
> >> >> >> > in
> >> >> >> > time."
> >> >> >> >
> >> >> >> > Richard Cox, chief information officer of anti-spam body The
> >> >> >> > Spamhaus
> >> >> >> > Project and an expert on privacy and cyber security, echoed Trend
> >> >> >> > Micro's
> >> >> >> > warning.
> >> >> >> >
> >> >> >> > "It won't be long before someone reverse engineers this exploit
> >> >> >> > for
> >> >> >> > more
> >> >> >> > fraudulent purposes. Trend Mico's advice [of switching to an
> >> >> >> > alternative
> >> >> >> > web browser] is very sensible," he said.
> >> >> >> >
> >> >> >> > PC Pro magazine's security editor, Darien Graham-Smith, said that
> >> >> >> > there
> >> >> >> > was a virtual arms race going on, with hackers always on the look
> >> >> >> > out
> >> >> >> > for
> >> >> >> > new vulnerabilities.
> >> >> >> >
> >> >> >> > "The message needs to get out that this malicious code can be
> >> >> >> > planted
> >> >> >> > on
> >> >> >> > any web site, so simple careful browsing isn't enough."
> >> >> >> >
> >> >> >> > "It's a shame Microsoft have not been able to fix this more
> >> >> >> > quickly,
> >> >> >> > but
> >> >> >> > letting people know about this flaw was the right thing to do. If
> >> >> >> > you
> >> >> >> > keep
> >> >> >> > flaws like this quiet, people are put at risk without knowing
> >> >> >> > it."
> >> >> >> >
> >> >> >> > "Every browser is susceptible to vulnerabilities from time to
> >> >> >> > time.
> >> >> >> > It's
> >> >> >> > fine to say 'don't use Internet Explorer' for now, but other
> >> >> >> > browsers
> >> >> >> > may
> >> >> >> > well find themselves in a similar situation," he added.
> >> >> >> >
> >> >> >> >
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >>
> >>

>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Serious security flaw found in IE Postman Delivers Anti-Virus 7 2nd Mar 2009 10:52 PM
Serious security flaw found in IE Alan Spyware Announcements 52 19th Dec 2008 05:38 AM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 11:42 AM.