Serious security flaw found in IE

Discussion in 'Spyware Discussion' started by Alan, Dec 16, 2008.

  1. Alan

    Alan Guest

    Here's a News Article carried today by the BBC at
    http://news.bbc.co.uk/2/hi/technology/7784908.stm

    Serious security flaw found in IE

    Users of Microsoft's Internet Explorer are being urged by experts to switch
    to a rival until a serious security flaw has been fixed.

    The flaw in Microsoft's Internet Explorer could allow criminals to take
    control of people's computers and steal their passwords, internet experts
    say.

    Microsoft urged people to be vigilant while it investigated and prepared an
    emergency patch to resolve it.

    Internet Explorer is used by the vast majority of the world's computer
    users.


    "Microsoft is continuing its investigation of public reports of attacks
    against a new vulnerability in Internet Explorer," said the firm in a
    security advisory alert about the flaw.

    Microsoft says it has detected attacks against IE 7.0 but said the
    "underlying vulnerability" was present in all versions of the browser.

    Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
    to the flaw Microsoft has identified.

    Browser bait

    "In this case, hackers found the hole before Microsoft did," said Rick
    Ferguson, senior security advisor at Trend Micro. "This is never a good
    thing."

    As many as 10,000 websites have been compromised since the vulnerability was
    discovered, he said.

    "What we've seen from the exploit so far is it stealing game passwords, but
    it's inevitable that it will be adapted by criminals," he said. "It's just a
    question of modifying the payload the trojan installs."


    Said Mr Ferguson: "If users can find an alternative browser, then that's
    good mitigation against the threat."

    But Microsoft counselled against taking such action.

    "I cannot recommend people switch due to this one flaw," said John Curran,
    head of Microsoft UK's Windows group.

    He added: "We're trying to get this resolved as soon as possible.

    "At present, this exploit only seems to affect 0.02% of internet sites,"
    said Mr Curran. "In terms of vulnerability, it only seems to be affecting
    IE7 users at the moment, but could well encompass other versions in time."

    Richard Cox, chief information officer of anti-spam body The Spamhaus
    Project and an expert on privacy and cyber security, echoed Trend Micro's
    warning.

    "It won't be long before someone reverse engineers this exploit for more
    fraudulent purposes. Trend Mico's advice [of switching to an alternative web
    browser] is very sensible," he said.

    PC Pro magazine's security editor, Darien Graham-Smith, said that there was
    a virtual arms race going on, with hackers always on the look out for new
    vulnerabilities.

    "The message needs to get out that this malicious code can be planted on any
    web site, so simple careful browsing isn't enough."

    "It's a shame Microsoft have not been able to fix this more quickly, but
    letting people know about this flaw was the right thing to do. If you keep
    flaws like this quiet, people are put at risk without knowing it."

    "Every browser is susceptible to vulnerabilities from time to time. It's
    fine to say 'don't use Internet Explorer' for now, but other browsers may
    well find themselves in a similar situation," he added.
     
    Alan, Dec 16, 2008
    #1
    1. Advertisements

  2. Alan

    Alan Guest

    Here is the official notification from Microsoft which was first published
    on December 10, 2008 and updated on December 15:
    http://www.microsoft.com/technet/security/advisory/961051.mspx

    Alan

    "Alan" <> wrote in message
    news:...
    > Here's a News Article carried today by the BBC at
    > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    >
    > Serious security flaw found in IE
    >
    > Users of Microsoft's Internet Explorer are being urged by experts to
    > switch to a rival until a serious security flaw has been fixed.
    >
    > The flaw in Microsoft's Internet Explorer could allow criminals to take
    > control of people's computers and steal their passwords, internet experts
    > say.
    >
    > Microsoft urged people to be vigilant while it investigated and prepared
    > an emergency patch to resolve it.
    >
    > Internet Explorer is used by the vast majority of the world's computer
    > users.
    >
    >
    > "Microsoft is continuing its investigation of public reports of attacks
    > against a new vulnerability in Internet Explorer," said the firm in a
    > security advisory alert about the flaw.
    >
    > Microsoft says it has detected attacks against IE 7.0 but said the
    > "underlying vulnerability" was present in all versions of the browser.
    >
    > Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
    > to the flaw Microsoft has identified.
    >
    > Browser bait
    >
    > "In this case, hackers found the hole before Microsoft did," said Rick
    > Ferguson, senior security advisor at Trend Micro. "This is never a good
    > thing."
    >
    > As many as 10,000 websites have been compromised since the vulnerability
    > was discovered, he said.
    >
    > "What we've seen from the exploit so far is it stealing game passwords,
    > but it's inevitable that it will be adapted by criminals," he said. "It's
    > just a question of modifying the payload the trojan installs."
    >
    >
    > Said Mr Ferguson: "If users can find an alternative browser, then that's
    > good mitigation against the threat."
    >
    > But Microsoft counselled against taking such action.
    >
    > "I cannot recommend people switch due to this one flaw," said John Curran,
    > head of Microsoft UK's Windows group.
    >
    > He added: "We're trying to get this resolved as soon as possible.
    >
    > "At present, this exploit only seems to affect 0.02% of internet sites,"
    > said Mr Curran. "In terms of vulnerability, it only seems to be affecting
    > IE7 users at the moment, but could well encompass other versions in time."
    >
    > Richard Cox, chief information officer of anti-spam body The Spamhaus
    > Project and an expert on privacy and cyber security, echoed Trend Micro's
    > warning.
    >
    > "It won't be long before someone reverse engineers this exploit for more
    > fraudulent purposes. Trend Mico's advice [of switching to an alternative
    > web browser] is very sensible," he said.
    >
    > PC Pro magazine's security editor, Darien Graham-Smith, said that there
    > was a virtual arms race going on, with hackers always on the look out for
    > new vulnerabilities.
    >
    > "The message needs to get out that this malicious code can be planted on
    > any web site, so simple careful browsing isn't enough."
    >
    > "It's a shame Microsoft have not been able to fix this more quickly, but
    > letting people know about this flaw was the right thing to do. If you keep
    > flaws like this quiet, people are put at risk without knowing it."
    >
    > "Every browser is susceptible to vulnerabilities from time to time. It's
    > fine to say 'don't use Internet Explorer' for now, but other browsers may
    > well find themselves in a similar situation," he added.
    >
    >
    >
     
    Alan, Dec 16, 2008
    #2
    1. Advertisements

  3. Alan

    Elmwood Boy Guest

    Dose this mean we should'nt be useing IE7 or changing to another browser¿

    E-Boy=)

    "Alan" wrote:

    > Here's a News Article carried today by the BBC at
    > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    >
    > Serious security flaw found in IE
    >
    > Users of Microsoft's Internet Explorer are being urged by experts to switch
    > to a rival until a serious security flaw has been fixed.
    >
    > The flaw in Microsoft's Internet Explorer could allow criminals to take
    > control of people's computers and steal their passwords, internet experts
    > say.
    >
    > Microsoft urged people to be vigilant while it investigated and prepared an
    > emergency patch to resolve it.
    >
    > Internet Explorer is used by the vast majority of the world's computer
    > users.
    >
    >
    > "Microsoft is continuing its investigation of public reports of attacks
    > against a new vulnerability in Internet Explorer," said the firm in a
    > security advisory alert about the flaw.
    >
    > Microsoft says it has detected attacks against IE 7.0 but said the
    > "underlying vulnerability" was present in all versions of the browser.
    >
    > Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
    > to the flaw Microsoft has identified.
    >
    > Browser bait
    >
    > "In this case, hackers found the hole before Microsoft did," said Rick
    > Ferguson, senior security advisor at Trend Micro. "This is never a good
    > thing."
    >
    > As many as 10,000 websites have been compromised since the vulnerability was
    > discovered, he said.
    >
    > "What we've seen from the exploit so far is it stealing game passwords, but
    > it's inevitable that it will be adapted by criminals," he said. "It's just a
    > question of modifying the payload the trojan installs."
    >
    >
    > Said Mr Ferguson: "If users can find an alternative browser, then that's
    > good mitigation against the threat."
    >
    > But Microsoft counselled against taking such action.
    >
    > "I cannot recommend people switch due to this one flaw," said John Curran,
    > head of Microsoft UK's Windows group.
    >
    > He added: "We're trying to get this resolved as soon as possible.
    >
    > "At present, this exploit only seems to affect 0.02% of internet sites,"
    > said Mr Curran. "In terms of vulnerability, it only seems to be affecting
    > IE7 users at the moment, but could well encompass other versions in time."
    >
    > Richard Cox, chief information officer of anti-spam body The Spamhaus
    > Project and an expert on privacy and cyber security, echoed Trend Micro's
    > warning.
    >
    > "It won't be long before someone reverse engineers this exploit for more
    > fraudulent purposes. Trend Mico's advice [of switching to an alternative web
    > browser] is very sensible," he said.
    >
    > PC Pro magazine's security editor, Darien Graham-Smith, said that there was
    > a virtual arms race going on, with hackers always on the look out for new
    > vulnerabilities.
    >
    > "The message needs to get out that this malicious code can be planted on any
    > web site, so simple careful browsing isn't enough."
    >
    > "It's a shame Microsoft have not been able to fix this more quickly, but
    > letting people know about this flaw was the right thing to do. If you keep
    > flaws like this quiet, people are put at risk without knowing it."
    >
    > "Every browser is susceptible to vulnerabilities from time to time. It's
    > fine to say 'don't use Internet Explorer' for now, but other browsers may
    > well find themselves in a similar situation," he added.
    >
    >
    >
    >
     
    Elmwood Boy, Dec 16, 2008
    #3
  4. Alan

    Tim Clark Guest

    "Elmwood Boy" wrote:

    > Dose this mean we should'nt be useing IE7 or changing to another browser¿
    >
    > E-Boy=)


    I always advise having an alternative/backup browser available in case of
    Zero Day attacks. I use the portable version of Firefox myself but to each
    their own. Just make sure that if you do use an alternative browser for a
    backup that it is as fully patched and as locked down as possible during the
    crises. And that you update your normal browser as soon as a patch is
    available.

    And of course make sure you are using a firewall and antivirus/antimalware
    program as well, often they can help stop an attack before a patch is
    released.
    And, if possible try to do your browsing as a limited users instead of as an
    administrator.

    ?:-/
    Tim
     
    Tim Clark, Dec 16, 2008
    #4
  5. Alan

    Stu Guest

    Very good question, the answer to which, I would say, depends on whether or
    not you are looking at the revelation from MS`s point of view Or the many
    generic security anylists out there. I`m sure MS are not going to `shoot
    themselves in the foot` by saying don`t use explorer - its badly flawed on
    the security front. Bad publicity and who can blame them for that? I could be
    way off base here but, right now, I would say that much depends on your
    surfing habits until they come up with a patch to correct the issue. In the
    meantime, if you really like IE as I do, I would suggest tightening your IE
    security settings a notch or two and be very careful where you go and what
    you reveal. For example. I would not touch Internet Banking until I`m
    confident the issue has been resolved. I`m sure Bill S will have some advice
    sooner or later.

    Stu

    "Elmwood Boy" wrote:

    > Dose this mean we should'nt be useing IE7 or changing to another browser¿
    >
    > E-Boy=)
    >
    > "Alan" wrote:
    >
    > > Here's a News Article carried today by the BBC at
    > > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    > >
    > > Serious security flaw found in IE
    > >
    > > Users of Microsoft's Internet Explorer are being urged by experts to switch
    > > to a rival until a serious security flaw has been fixed.
    > >
    > > The flaw in Microsoft's Internet Explorer could allow criminals to take
    > > control of people's computers and steal their passwords, internet experts
    > > say.
    > >
    > > Microsoft urged people to be vigilant while it investigated and prepared an
    > > emergency patch to resolve it.
    > >
    > > Internet Explorer is used by the vast majority of the world's computer
    > > users.
    > >
    > >
    > > "Microsoft is continuing its investigation of public reports of attacks
    > > against a new vulnerability in Internet Explorer," said the firm in a
    > > security advisory alert about the flaw.
    > >
    > > Microsoft says it has detected attacks against IE 7.0 but said the
    > > "underlying vulnerability" was present in all versions of the browser.
    > >
    > > Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
    > > to the flaw Microsoft has identified.
    > >
    > > Browser bait
    > >
    > > "In this case, hackers found the hole before Microsoft did," said Rick
    > > Ferguson, senior security advisor at Trend Micro. "This is never a good
    > > thing."
    > >
    > > As many as 10,000 websites have been compromised since the vulnerability was
    > > discovered, he said.
    > >
    > > "What we've seen from the exploit so far is it stealing game passwords, but
    > > it's inevitable that it will be adapted by criminals," he said. "It's just a
    > > question of modifying the payload the trojan installs."
    > >
    > >
    > > Said Mr Ferguson: "If users can find an alternative browser, then that's
    > > good mitigation against the threat."
    > >
    > > But Microsoft counselled against taking such action.
    > >
    > > "I cannot recommend people switch due to this one flaw," said John Curran,
    > > head of Microsoft UK's Windows group.
    > >
    > > He added: "We're trying to get this resolved as soon as possible.
    > >
    > > "At present, this exploit only seems to affect 0.02% of internet sites,"
    > > said Mr Curran. "In terms of vulnerability, it only seems to be affecting
    > > IE7 users at the moment, but could well encompass other versions in time."
    > >
    > > Richard Cox, chief information officer of anti-spam body The Spamhaus
    > > Project and an expert on privacy and cyber security, echoed Trend Micro's
    > > warning.
    > >
    > > "It won't be long before someone reverse engineers this exploit for more
    > > fraudulent purposes. Trend Mico's advice [of switching to an alternative web
    > > browser] is very sensible," he said.
    > >
    > > PC Pro magazine's security editor, Darien Graham-Smith, said that there was
    > > a virtual arms race going on, with hackers always on the look out for new
    > > vulnerabilities.
    > >
    > > "The message needs to get out that this malicious code can be planted on any
    > > web site, so simple careful browsing isn't enough."
    > >
    > > "It's a shame Microsoft have not been able to fix this more quickly, but
    > > letting people know about this flaw was the right thing to do. If you keep
    > > flaws like this quiet, people are put at risk without knowing it."
    > >
    > > "Every browser is susceptible to vulnerabilities from time to time. It's
    > > fine to say 'don't use Internet Explorer' for now, but other browsers may
    > > well find themselves in a similar situation," he added.
    > >
    > >
    > >
    > >
     
    Stu, Dec 16, 2008
    #5
  6. Alan

    mae Guest

    I applied the work arounds recommended in the advisory.
    Should work until:
    http://blogs.technet.com/msrc/archi...on-for-december-2008-out-of-band-release.aspx
    Microsoft Security Bulletin Advance Notification for December 2008
    This is an advance notification of an out-of-band security bulletin that
    Microsoft is intending to release on December 17, 2008.
    Source: http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx

    You should subscribe to a security feed or alert from Microsoft,
    then you won't have to wait for someone to else to publish it.
    I get this feed http://blogs.technet.com/msrc/default.aspx

    mae

    "Alan" <> wrote in message
    news:...
    | Here is the official notification from Microsoft which was first published
    | on December 10, 2008 and updated on December 15:
    | http://www.microsoft.com/technet/security/advisory/961051.mspx
    |
    | Alan
    |
    | "Alan" <> wrote in message
    | news:...
    | > Here's a News Article carried today by the BBC at
    | > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    | >
    | > Serious security flaw found in IE
    | >
    | > Users of Microsoft's Internet Explorer are being urged by experts to
    | > switch to a rival until a serious security flaw has been fixed.
    | >
    | > The flaw in Microsoft's Internet Explorer could allow criminals to take
    | > control of people's computers and steal their passwords, internet
    experts
    | > say.
    | >
    | > Microsoft urged people to be vigilant while it investigated and prepared
    | > an emergency patch to resolve it.
    | >
    | > Internet Explorer is used by the vast majority of the world's computer
    | > users.
    | >
    | >
    | > "Microsoft is continuing its investigation of public reports of attacks
    | > against a new vulnerability in Internet Explorer," said the firm in a
    | > security advisory alert about the flaw.
    | >
    | > Microsoft says it has detected attacks against IE 7.0 but said the
    | > "underlying vulnerability" was present in all versions of the browser.
    | >
    | > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
    vulnerable
    | > to the flaw Microsoft has identified.
    | >
    | > Browser bait
    | >
    | > "In this case, hackers found the hole before Microsoft did," said Rick
    | > Ferguson, senior security advisor at Trend Micro. "This is never a good
    | > thing."
    | >
    | > As many as 10,000 websites have been compromised since the vulnerability
    | > was discovered, he said.
    | >
    | > "What we've seen from the exploit so far is it stealing game passwords,
    | > but it's inevitable that it will be adapted by criminals," he said.
    "It's
    | > just a question of modifying the payload the trojan installs."
    | >
    | >
    | > Said Mr Ferguson: "If users can find an alternative browser, then that's
    | > good mitigation against the threat."
    | >
    | > But Microsoft counselled against taking such action.
    | >
    | > "I cannot recommend people switch due to this one flaw," said John
    Curran,
    | > head of Microsoft UK's Windows group.
    | >
    | > He added: "We're trying to get this resolved as soon as possible.
    | >
    | > "At present, this exploit only seems to affect 0.02% of internet sites,"
    | > said Mr Curran. "In terms of vulnerability, it only seems to be
    affecting
    | > IE7 users at the moment, but could well encompass other versions in
    time."
    | >
    | > Richard Cox, chief information officer of anti-spam body The Spamhaus
    | > Project and an expert on privacy and cyber security, echoed Trend
    Micro's
    | > warning.
    | >
    | > "It won't be long before someone reverse engineers this exploit for more
    | > fraudulent purposes. Trend Mico's advice [of switching to an alternative
    | > web browser] is very sensible," he said.
    | >
    | > PC Pro magazine's security editor, Darien Graham-Smith, said that there
    | > was a virtual arms race going on, with hackers always on the look out
    for
    | > new vulnerabilities.
    | >
    | > "The message needs to get out that this malicious code can be planted on
    | > any web site, so simple careful browsing isn't enough."
    | >
    | > "It's a shame Microsoft have not been able to fix this more quickly, but
    | > letting people know about this flaw was the right thing to do. If you
    keep
    | > flaws like this quiet, people are put at risk without knowing it."
    | >
    | > "Every browser is susceptible to vulnerabilities from time to time. It's
    | > fine to say 'don't use Internet Explorer' for now, but other browsers
    may
    | > well find themselves in a similar situation," he added.
    | >
    | >
    | >
    |
    |
     
    mae, Dec 16, 2008
    #6
  7. Alan

    Guest

    "Alan" <> wrote:

    > Here is the official notification from Microsoft which was first published
    > on December 10, 2008 and updated on December 15:
    > http://www.microsoft.com/technet/security/advisory/961051.mspx
    >
    > Alan
    >


    Thanks! I made the recommended changes and then was asked six times
    about scripts when loading a Yahoo home page news article.

    Also in the bulletin, under Workarounds > Set Internet and Intranet...,
    the item "2. In the Select a Web content zone to specify its current
    security settings box,... " my XP/SP3 does not contain the phrase
    "Select a Web content zone..."

    Gene
     
    , Dec 16, 2008
    #7
  8. Alan

    robinb Guest

    looks like it will -take a look here

    http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

    robin

    "Alan" <> wrote in message
    news:...
    > Here's a News Article carried today by the BBC at
    > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    >
    > Serious security flaw found in IE
    >
    > Users of Microsoft's Internet Explorer are being urged by experts to
    > switch to a rival until a serious security flaw has been fixed.
    >
    > The flaw in Microsoft's Internet Explorer could allow criminals to take
    > control of people's computers and steal their passwords, internet experts
    > say.
    >
    > Microsoft urged people to be vigilant while it investigated and prepared
    > an emergency patch to resolve it.
    >
    > Internet Explorer is used by the vast majority of the world's computer
    > users.
    >
    >
    > "Microsoft is continuing its investigation of public reports of attacks
    > against a new vulnerability in Internet Explorer," said the firm in a
    > security advisory alert about the flaw.
    >
    > Microsoft says it has detected attacks against IE 7.0 but said the
    > "underlying vulnerability" was present in all versions of the browser.
    >
    > Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
    > to the flaw Microsoft has identified.
    >
    > Browser bait
    >
    > "In this case, hackers found the hole before Microsoft did," said Rick
    > Ferguson, senior security advisor at Trend Micro. "This is never a good
    > thing."
    >
    > As many as 10,000 websites have been compromised since the vulnerability
    > was discovered, he said.
    >
    > "What we've seen from the exploit so far is it stealing game passwords,
    > but it's inevitable that it will be adapted by criminals," he said. "It's
    > just a question of modifying the payload the trojan installs."
    >
    >
    > Said Mr Ferguson: "If users can find an alternative browser, then that's
    > good mitigation against the threat."
    >
    > But Microsoft counselled against taking such action.
    >
    > "I cannot recommend people switch due to this one flaw," said John Curran,
    > head of Microsoft UK's Windows group.
    >
    > He added: "We're trying to get this resolved as soon as possible.
    >
    > "At present, this exploit only seems to affect 0.02% of internet sites,"
    > said Mr Curran. "In terms of vulnerability, it only seems to be affecting
    > IE7 users at the moment, but could well encompass other versions in time."
    >
    > Richard Cox, chief information officer of anti-spam body The Spamhaus
    > Project and an expert on privacy and cyber security, echoed Trend Micro's
    > warning.
    >
    > "It won't be long before someone reverse engineers this exploit for more
    > fraudulent purposes. Trend Mico's advice [of switching to an alternative
    > web browser] is very sensible," he said.
    >
    > PC Pro magazine's security editor, Darien Graham-Smith, said that there
    > was a virtual arms race going on, with hackers always on the look out for
    > new vulnerabilities.
    >
    > "The message needs to get out that this malicious code can be planted on
    > any web site, so simple careful browsing isn't enough."
    >
    > "It's a shame Microsoft have not been able to fix this more quickly, but
    > letting people know about this flaw was the right thing to do. If you keep
    > flaws like this quiet, people are put at risk without knowing it."
    >
    > "Every browser is susceptible to vulnerabilities from time to time. It's
    > fine to say 'don't use Internet Explorer' for now, but other browsers may
    > well find themselves in a similar situation," he added.
    >
    >
    >
     
    robinb, Dec 16, 2008
    #8
  9. Alan

    robinb Guest

    I use firefox exclusivity except for Windows updates
    I will wait for tomorrow to get the patch
    and my clients only use firefox too
    robin


    "Alan" <> wrote in message
    news:...
    > Here's a News Article carried today by the BBC at
    > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    >
    > Serious security flaw found in IE
    >
    > Users of Microsoft's Internet Explorer are being urged by experts to
    > switch to a rival until a serious security flaw has been fixed.
    >
    > The flaw in Microsoft's Internet Explorer could allow criminals to take
    > control of people's computers and steal their passwords, internet experts
    > say.
    >
    > Microsoft urged people to be vigilant while it investigated and prepared
    > an emergency patch to resolve it.
    >
    > Internet Explorer is used by the vast majority of the world's computer
    > users.
    >
    >
    > "Microsoft is continuing its investigation of public reports of attacks
    > against a new vulnerability in Internet Explorer," said the firm in a
    > security advisory alert about the flaw.
    >
    > Microsoft says it has detected attacks against IE 7.0 but said the
    > "underlying vulnerability" was present in all versions of the browser.
    >
    > Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
    > to the flaw Microsoft has identified.
    >
    > Browser bait
    >
    > "In this case, hackers found the hole before Microsoft did," said Rick
    > Ferguson, senior security advisor at Trend Micro. "This is never a good
    > thing."
    >
    > As many as 10,000 websites have been compromised since the vulnerability
    > was discovered, he said.
    >
    > "What we've seen from the exploit so far is it stealing game passwords,
    > but it's inevitable that it will be adapted by criminals," he said. "It's
    > just a question of modifying the payload the trojan installs."
    >
    >
    > Said Mr Ferguson: "If users can find an alternative browser, then that's
    > good mitigation against the threat."
    >
    > But Microsoft counselled against taking such action.
    >
    > "I cannot recommend people switch due to this one flaw," said John Curran,
    > head of Microsoft UK's Windows group.
    >
    > He added: "We're trying to get this resolved as soon as possible.
    >
    > "At present, this exploit only seems to affect 0.02% of internet sites,"
    > said Mr Curran. "In terms of vulnerability, it only seems to be affecting
    > IE7 users at the moment, but could well encompass other versions in time."
    >
    > Richard Cox, chief information officer of anti-spam body The Spamhaus
    > Project and an expert on privacy and cyber security, echoed Trend Micro's
    > warning.
    >
    > "It won't be long before someone reverse engineers this exploit for more
    > fraudulent purposes. Trend Mico's advice [of switching to an alternative
    > web browser] is very sensible," he said.
    >
    > PC Pro magazine's security editor, Darien Graham-Smith, said that there
    > was a virtual arms race going on, with hackers always on the look out for
    > new vulnerabilities.
    >
    > "The message needs to get out that this malicious code can be planted on
    > any web site, so simple careful browsing isn't enough."
    >
    > "It's a shame Microsoft have not been able to fix this more quickly, but
    > letting people know about this flaw was the right thing to do. If you keep
    > flaws like this quiet, people are put at risk without knowing it."
    >
    > "Every browser is susceptible to vulnerabilities from time to time. It's
    > fine to say 'don't use Internet Explorer' for now, but other browsers may
    > well find themselves in a similar situation," he added.
    >
    >
    >
     
    robinb, Dec 16, 2008
    #9
  10. Alan

    Pat Willener Guest

    Why? I always run Microsoft Update on Firefox. (IE Tab add-on may be
    required.)

    robinb wrote:
    > I use firefox exclusivity except for Windows updates
    > I will wait for tomorrow to get the patch
    > and my clients only use firefox too
    > robin
    >
    >
    > "Alan" <> wrote in message
    > news:...
    >> Here's a News Article carried today by the BBC at
    >> http://news.bbc.co.uk/2/hi/technology/7784908.stm
    >>
    >> Serious security flaw found in IE
    >>
    >> Users of Microsoft's Internet Explorer are being urged by experts to
    >> switch to a rival until a serious security flaw has been fixed.
    >>
    >> The flaw in Microsoft's Internet Explorer could allow criminals to take
    >> control of people's computers and steal their passwords, internet experts
    >> say.
    >>
    >> Microsoft urged people to be vigilant while it investigated and prepared
    >> an emergency patch to resolve it.
    >>
    >> Internet Explorer is used by the vast majority of the world's computer
    >> users.
    >>
    >>
    >> "Microsoft is continuing its investigation of public reports of attacks
    >> against a new vulnerability in Internet Explorer," said the firm in a
    >> security advisory alert about the flaw.
    >>
    >> Microsoft says it has detected attacks against IE 7.0 but said the
    >> "underlying vulnerability" was present in all versions of the browser.
    >>
    >> Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
    >> to the flaw Microsoft has identified.
    >>
    >> Browser bait
    >>
    >> "In this case, hackers found the hole before Microsoft did," said Rick
    >> Ferguson, senior security advisor at Trend Micro. "This is never a good
    >> thing."
    >>
    >> As many as 10,000 websites have been compromised since the vulnerability
    >> was discovered, he said.
    >>
    >> "What we've seen from the exploit so far is it stealing game passwords,
    >> but it's inevitable that it will be adapted by criminals," he said. "It's
    >> just a question of modifying the payload the trojan installs."
    >>
    >>
    >> Said Mr Ferguson: "If users can find an alternative browser, then that's
    >> good mitigation against the threat."
    >>
    >> But Microsoft counselled against taking such action.
    >>
    >> "I cannot recommend people switch due to this one flaw," said John Curran,
    >> head of Microsoft UK's Windows group.
    >>
    >> He added: "We're trying to get this resolved as soon as possible.
    >>
    >> "At present, this exploit only seems to affect 0.02% of internet sites,"
    >> said Mr Curran. "In terms of vulnerability, it only seems to be affecting
    >> IE7 users at the moment, but could well encompass other versions in time."
    >>
    >> Richard Cox, chief information officer of anti-spam body The Spamhaus
    >> Project and an expert on privacy and cyber security, echoed Trend Micro's
    >> warning.
    >>
    >> "It won't be long before someone reverse engineers this exploit for more
    >> fraudulent purposes. Trend Mico's advice [of switching to an alternative
    >> web browser] is very sensible," he said.
    >>
    >> PC Pro magazine's security editor, Darien Graham-Smith, said that there
    >> was a virtual arms race going on, with hackers always on the look out for
    >> new vulnerabilities.
    >>
    >> "The message needs to get out that this malicious code can be planted on
    >> any web site, so simple careful browsing isn't enough."
    >>
    >> "It's a shame Microsoft have not been able to fix this more quickly, but
    >> letting people know about this flaw was the right thing to do. If you keep
    >> flaws like this quiet, people are put at risk without knowing it."
    >>
    >> "Every browser is susceptible to vulnerabilities from time to time. It's
    >> fine to say 'don't use Internet Explorer' for now, but other browsers may
    >> well find themselves in a similar situation," he added.
     
    Pat Willener, Dec 17, 2008
    #10
  11. Alan

    Pat Willener Guest

    Thank you for the links below.

    mae wrote:
    > I applied the work arounds recommended in the advisory.
    > Should work until:
    > http://blogs.technet.com/msrc/archi...on-for-december-2008-out-of-band-release.aspx
    > Microsoft Security Bulletin Advance Notification for December 2008
    > This is an advance notification of an out-of-band security bulletin that
    > Microsoft is intending to release on December 17, 2008.
    > Source: http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx
    >
    > You should subscribe to a security feed or alert from Microsoft,
    > then you won't have to wait for someone to else to publish it.
    > I get this feed http://blogs.technet.com/msrc/default.aspx
    >
    > mae
    >
    > "Alan" <> wrote in message
    > news:...
    > | Here is the official notification from Microsoft which was first published
    > | on December 10, 2008 and updated on December 15:
    > | http://www.microsoft.com/technet/security/advisory/961051.mspx
    > |
    > | Alan
    > |
    > | "Alan" <> wrote in message
    > | news:...
    > | > Here's a News Article carried today by the BBC at
    > | > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    > | >
    > | > Serious security flaw found in IE
    > | >
    > | > Users of Microsoft's Internet Explorer are being urged by experts to
    > | > switch to a rival until a serious security flaw has been fixed.
    > | >
    > | > The flaw in Microsoft's Internet Explorer could allow criminals to take
    > | > control of people's computers and steal their passwords, internet
    > experts
    > | > say.
    > | >
    > | > Microsoft urged people to be vigilant while it investigated and prepared
    > | > an emergency patch to resolve it.
    > | >
    > | > Internet Explorer is used by the vast majority of the world's computer
    > | > users.
    > | >
    > | >
    > | > "Microsoft is continuing its investigation of public reports of attacks
    > | > against a new vulnerability in Internet Explorer," said the firm in a
    > | > security advisory alert about the flaw.
    > | >
    > | > Microsoft says it has detected attacks against IE 7.0 but said the
    > | > "underlying vulnerability" was present in all versions of the browser.
    > | >
    > | > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
    > vulnerable
    > | > to the flaw Microsoft has identified.
    > | >
    > | > Browser bait
    > | >
    > | > "In this case, hackers found the hole before Microsoft did," said Rick
    > | > Ferguson, senior security advisor at Trend Micro. "This is never a good
    > | > thing."
    > | >
    > | > As many as 10,000 websites have been compromised since the vulnerability
    > | > was discovered, he said.
    > | >
    > | > "What we've seen from the exploit so far is it stealing game passwords,
    > | > but it's inevitable that it will be adapted by criminals," he said.
    > "It's
    > | > just a question of modifying the payload the trojan installs."
    > | >
    > | >
    > | > Said Mr Ferguson: "If users can find an alternative browser, then that's
    > | > good mitigation against the threat."
    > | >
    > | > But Microsoft counselled against taking such action.
    > | >
    > | > "I cannot recommend people switch due to this one flaw," said John
    > Curran,
    > | > head of Microsoft UK's Windows group.
    > | >
    > | > He added: "We're trying to get this resolved as soon as possible.
    > | >
    > | > "At present, this exploit only seems to affect 0.02% of internet sites,"
    > | > said Mr Curran. "In terms of vulnerability, it only seems to be
    > affecting
    > | > IE7 users at the moment, but could well encompass other versions in
    > time."
    > | >
    > | > Richard Cox, chief information officer of anti-spam body The Spamhaus
    > | > Project and an expert on privacy and cyber security, echoed Trend
    > Micro's
    > | > warning.
    > | >
    > | > "It won't be long before someone reverse engineers this exploit for more
    > | > fraudulent purposes. Trend Mico's advice [of switching to an alternative
    > | > web browser] is very sensible," he said.
    > | >
    > | > PC Pro magazine's security editor, Darien Graham-Smith, said that there
    > | > was a virtual arms race going on, with hackers always on the look out
    > for
    > | > new vulnerabilities.
    > | >
    > | > "The message needs to get out that this malicious code can be planted on
    > | > any web site, so simple careful browsing isn't enough."
    > | >
    > | > "It's a shame Microsoft have not been able to fix this more quickly, but
    > | > letting people know about this flaw was the right thing to do. If you
    > keep
    > | > flaws like this quiet, people are put at risk without knowing it."
    > | >
    > | > "Every browser is susceptible to vulnerabilities from time to time. It's
    > | > fine to say 'don't use Internet Explorer' for now, but other browsers
    > may
    > | > well find themselves in a similar situation," he added.
     
    Pat Willener, Dec 17, 2008
    #11
  12. Alan

    Stu Guest

    Really? Last time I tried WU pdate thru Firefox many months ago I got
    something like this:

    "Thank you for your interest in obtaining updates from our site.

    To use this site, you must be running Microsoft Internet Explorer 5 or later.

    To upgrade to the latest version of the browser, go to the Internet Explorer
    Downloads website.

    If you prefer to use a different web browser, you can obtain updates from
    the Microsoft Download Center or you can stay up to date with the latest
    critical and security updates by using Automatic Updates. To turn on
    Automatic Updates:

    1. Click Start, and then click Control Panel.
    2. Depending on which Control Panel view you use, Classic or Category, do
    one of the following:
    * Click System, and then click the Automatic Updates tab.
    * Click Performance and Maintenance, click System, and then click
    the Automatic Updates tab.
    3. Click the option that you want. Make sure Automatic Updates is not
    turned off.

    Didn`t see an `IE tab add on` either.

    Stu

    "Pat Willener" wrote:

    > Why? I always run Microsoft Update on Firefox. (IE Tab add-on may be
    > required.)
    >
    > robinb wrote:
    > > I use firefox exclusivity except for Windows updates
    > > I will wait for tomorrow to get the patch
    > > and my clients only use firefox too
    > > robin
    > >
    > >
    > > "Alan" <> wrote in message
    > > news:...
    > >> Here's a News Article carried today by the BBC at
    > >> http://news.bbc.co.uk/2/hi/technology/7784908.stm
    > >>
    > >> Serious security flaw found in IE
    > >>
    > >> Users of Microsoft's Internet Explorer are being urged by experts to
    > >> switch to a rival until a serious security flaw has been fixed.
    > >>
    > >> The flaw in Microsoft's Internet Explorer could allow criminals to take
    > >> control of people's computers and steal their passwords, internet experts
    > >> say.
    > >>
    > >> Microsoft urged people to be vigilant while it investigated and prepared
    > >> an emergency patch to resolve it.
    > >>
    > >> Internet Explorer is used by the vast majority of the world's computer
    > >> users.
    > >>
    > >>
    > >> "Microsoft is continuing its investigation of public reports of attacks
    > >> against a new vulnerability in Internet Explorer," said the firm in a
    > >> security advisory alert about the flaw.
    > >>
    > >> Microsoft says it has detected attacks against IE 7.0 but said the
    > >> "underlying vulnerability" was present in all versions of the browser.
    > >>
    > >> Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
    > >> to the flaw Microsoft has identified.
    > >>
    > >> Browser bait
    > >>
    > >> "In this case, hackers found the hole before Microsoft did," said Rick
    > >> Ferguson, senior security advisor at Trend Micro. "This is never a good
    > >> thing."
    > >>
    > >> As many as 10,000 websites have been compromised since the vulnerability
    > >> was discovered, he said.
    > >>
    > >> "What we've seen from the exploit so far is it stealing game passwords,
    > >> but it's inevitable that it will be adapted by criminals," he said. "It's
    > >> just a question of modifying the payload the trojan installs."
    > >>
    > >>
    > >> Said Mr Ferguson: "If users can find an alternative browser, then that's
    > >> good mitigation against the threat."
    > >>
    > >> But Microsoft counselled against taking such action.
    > >>
    > >> "I cannot recommend people switch due to this one flaw," said John Curran,
    > >> head of Microsoft UK's Windows group.
    > >>
    > >> He added: "We're trying to get this resolved as soon as possible.
    > >>
    > >> "At present, this exploit only seems to affect 0.02% of internet sites,"
    > >> said Mr Curran. "In terms of vulnerability, it only seems to be affecting
    > >> IE7 users at the moment, but could well encompass other versions in time."
    > >>
    > >> Richard Cox, chief information officer of anti-spam body The Spamhaus
    > >> Project and an expert on privacy and cyber security, echoed Trend Micro's
    > >> warning.
    > >>
    > >> "It won't be long before someone reverse engineers this exploit for more
    > >> fraudulent purposes. Trend Mico's advice [of switching to an alternative
    > >> web browser] is very sensible," he said.
    > >>
    > >> PC Pro magazine's security editor, Darien Graham-Smith, said that there
    > >> was a virtual arms race going on, with hackers always on the look out for
    > >> new vulnerabilities.
    > >>
    > >> "The message needs to get out that this malicious code can be planted on
    > >> any web site, so simple careful browsing isn't enough."
    > >>
    > >> "It's a shame Microsoft have not been able to fix this more quickly, but
    > >> letting people know about this flaw was the right thing to do. If you keep
    > >> flaws like this quiet, people are put at risk without knowing it."
    > >>
    > >> "Every browser is susceptible to vulnerabilities from time to time. It's
    > >> fine to say 'don't use Internet Explorer' for now, but other browsers may
    > >> well find themselves in a similar situation," he added.

    >
     
    Stu, Dec 17, 2008
    #12
  13. A patch for this will be issued tomorrow, as others in this thead have noted
    (oops--today!)

    I'd advise installing this patch.

    That's what I plan to do.

    --

    "Alan" <> wrote in message
    news:...
    > Here's a News Article carried today by the BBC at
    > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    >
    > Serious security flaw found in IE
    >
    > Users of Microsoft's Internet Explorer are being urged by experts to
    > switch to a rival until a serious security flaw has been fixed.
    >
    > The flaw in Microsoft's Internet Explorer could allow criminals to take
    > control of people's computers and steal their passwords, internet experts
    > say.
    >
    > Microsoft urged people to be vigilant while it investigated and prepared
    > an emergency patch to resolve it.
    >
    > Internet Explorer is used by the vast majority of the world's computer
    > users.
    >
    >
    > "Microsoft is continuing its investigation of public reports of attacks
    > against a new vulnerability in Internet Explorer," said the firm in a
    > security advisory alert about the flaw.
    >
    > Microsoft says it has detected attacks against IE 7.0 but said the
    > "underlying vulnerability" was present in all versions of the browser.
    >
    > Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
    > to the flaw Microsoft has identified.
    >
    > Browser bait
    >
    > "In this case, hackers found the hole before Microsoft did," said Rick
    > Ferguson, senior security advisor at Trend Micro. "This is never a good
    > thing."
    >
    > As many as 10,000 websites have been compromised since the vulnerability
    > was discovered, he said.
    >
    > "What we've seen from the exploit so far is it stealing game passwords,
    > but it's inevitable that it will be adapted by criminals," he said. "It's
    > just a question of modifying the payload the trojan installs."
    >
    >
    > Said Mr Ferguson: "If users can find an alternative browser, then that's
    > good mitigation against the threat."
    >
    > But Microsoft counselled against taking such action.
    >
    > "I cannot recommend people switch due to this one flaw," said John Curran,
    > head of Microsoft UK's Windows group.
    >
    > He added: "We're trying to get this resolved as soon as possible.
    >
    > "At present, this exploit only seems to affect 0.02% of internet sites,"
    > said Mr Curran. "In terms of vulnerability, it only seems to be affecting
    > IE7 users at the moment, but could well encompass other versions in time."
    >
    > Richard Cox, chief information officer of anti-spam body The Spamhaus
    > Project and an expert on privacy and cyber security, echoed Trend Micro's
    > warning.
    >
    > "It won't be long before someone reverse engineers this exploit for more
    > fraudulent purposes. Trend Mico's advice [of switching to an alternative
    > web browser] is very sensible," he said.
    >
    > PC Pro magazine's security editor, Darien Graham-Smith, said that there
    > was a virtual arms race going on, with hackers always on the look out for
    > new vulnerabilities.
    >
    > "The message needs to get out that this malicious code can be planted on
    > any web site, so simple careful browsing isn't enough."
    >
    > "It's a shame Microsoft have not been able to fix this more quickly, but
    > letting people know about this flaw was the right thing to do. If you keep
    > flaws like this quiet, people are put at risk without knowing it."
    >
    > "Every browser is susceptible to vulnerabilities from time to time. It's
    > fine to say 'don't use Internet Explorer' for now, but other browsers may
    > well find themselves in a similar situation," he added.
    >
    >
    >
     
    Bill Sanderson, Dec 17, 2008
    #13
  14. Alan

    Stu Guest

    Panic over Bill? You know, maybe I`m too laid back with these security
    issues. I can never understand why there is this tendency for a `knee jerk`
    reaction with associated buzz on these NGs - like bees which have just been
    awoken from their hives. Everything buzzing around (deliberating and
    speculating) while someone works quietly in the background resolving the
    issue. Perhaps there are times when ignorance is bliss ;;))

    Stu

    "Bill Sanderson" wrote:

    > A patch for this will be issued tomorrow, as others in this thead have noted
    > (oops--today!)
    >
    > I'd advise installing this patch.
    >
    > That's what I plan to do.
    >
    > --
    >
    > "Alan" <> wrote in message
    > news:...
    > > Here's a News Article carried today by the BBC at
    > > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    > >
    > > Serious security flaw found in IE
    > >
    > > Users of Microsoft's Internet Explorer are being urged by experts to
    > > switch to a rival until a serious security flaw has been fixed.
    > >
    > > The flaw in Microsoft's Internet Explorer could allow criminals to take
    > > control of people's computers and steal their passwords, internet experts
    > > say.
    > >
    > > Microsoft urged people to be vigilant while it investigated and prepared
    > > an emergency patch to resolve it.
    > >
    > > Internet Explorer is used by the vast majority of the world's computer
    > > users.
    > >
    > >
    > > "Microsoft is continuing its investigation of public reports of attacks
    > > against a new vulnerability in Internet Explorer," said the firm in a
    > > security advisory alert about the flaw.
    > >
    > > Microsoft says it has detected attacks against IE 7.0 but said the
    > > "underlying vulnerability" was present in all versions of the browser.
    > >
    > > Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
    > > to the flaw Microsoft has identified.
    > >
    > > Browser bait
    > >
    > > "In this case, hackers found the hole before Microsoft did," said Rick
    > > Ferguson, senior security advisor at Trend Micro. "This is never a good
    > > thing."
    > >
    > > As many as 10,000 websites have been compromised since the vulnerability
    > > was discovered, he said.
    > >
    > > "What we've seen from the exploit so far is it stealing game passwords,
    > > but it's inevitable that it will be adapted by criminals," he said. "It's
    > > just a question of modifying the payload the trojan installs."
    > >
    > >
    > > Said Mr Ferguson: "If users can find an alternative browser, then that's
    > > good mitigation against the threat."
    > >
    > > But Microsoft counselled against taking such action.
    > >
    > > "I cannot recommend people switch due to this one flaw," said John Curran,
    > > head of Microsoft UK's Windows group.
    > >
    > > He added: "We're trying to get this resolved as soon as possible.
    > >
    > > "At present, this exploit only seems to affect 0.02% of internet sites,"
    > > said Mr Curran. "In terms of vulnerability, it only seems to be affecting
    > > IE7 users at the moment, but could well encompass other versions in time."
    > >
    > > Richard Cox, chief information officer of anti-spam body The Spamhaus
    > > Project and an expert on privacy and cyber security, echoed Trend Micro's
    > > warning.
    > >
    > > "It won't be long before someone reverse engineers this exploit for more
    > > fraudulent purposes. Trend Mico's advice [of switching to an alternative
    > > web browser] is very sensible," he said.
    > >
    > > PC Pro magazine's security editor, Darien Graham-Smith, said that there
    > > was a virtual arms race going on, with hackers always on the look out for
    > > new vulnerabilities.
    > >
    > > "The message needs to get out that this malicious code can be planted on
    > > any web site, so simple careful browsing isn't enough."
    > >
    > > "It's a shame Microsoft have not been able to fix this more quickly, but
    > > letting people know about this flaw was the right thing to do. If you keep
    > > flaws like this quiet, people are put at risk without knowing it."
    > >
    > > "Every browser is susceptible to vulnerabilities from time to time. It's
    > > fine to say 'don't use Internet Explorer' for now, but other browsers may
    > > well find themselves in a similar situation," he added.
    > >
    > >
    > >

    >
    >
     
    Stu, Dec 17, 2008
    #14
  15. "Bill Sanderson" <> wrote in message
    news:%...
    > A patch for this will be issued tomorrow, as others in this thead have

    noted
    > (oops--today!)
    >
    > I'd advise installing this patch.
    >
    > That's what I plan to do.


    Good morning, Bill.

    I have made this fix:
    cacls "Program Files\Common Files\System\Ole DB\oledb32.dll" /E /P
    everyone:N
    as per:
    http://www.microsoft.com/technet/security/advisory/961051.mspx

    Is there any need to undo that?
     
    Anonymous Bob, Dec 17, 2008
    #15
  16. I managed to not broadcast this issue to the users I support--but several
    people either asked about it or sent me information about the issue to make
    sure I knew about it.

    I wasn't yet ready to put into effect the work-arounds Microsoft has
    supplied, given my understanding of the extent of the risk--and I see no
    point in creating fear and doubt without a clear set of actions to
    prescribe.

    I did write everyone this morning asking that they apply today's patch as
    soon as it is convenient for them, and I'll be doing that manually on
    systems I can reach when it is available.

    This was a close call--the code to exploit the vulnerability was publicly
    available since December 10th--meaning that anyone could pick it up and make
    use of it. Fortunately, it required that you visit a web site to be
    infected--it isn't something that can directly infect from an email message.

    There were some innocent sites that were hacked to distribute this malicious
    code--which is a good part of where the real risk lies for users who don't
    frequent porn sites.

    I doubt that my users were making use of the features of Internet Explorer
    that would be disabled by the simpler work-arounds for this exploit, but I'm
    not certain of that, and did't want to have to fix this twice--once via a
    work-around and then need to reverse that and install the final patch.

    I'm glad they were able to produce a patch quickly.

    --

    "Stu" <> wrote in message
    news:...
    > Panic over Bill? You know, maybe I`m too laid back with these security
    > issues. I can never understand why there is this tendency for a `knee
    > jerk`
    > reaction with associated buzz on these NGs - like bees which have just
    > been
    > awoken from their hives. Everything buzzing around (deliberating and
    > speculating) while someone works quietly in the background resolving the
    > issue. Perhaps there are times when ignorance is bliss ;;))
    >
    > Stu
    >
    > "Bill Sanderson" wrote:
    >
    >> A patch for this will be issued tomorrow, as others in this thead have
    >> noted
    >> (oops--today!)
    >>
    >> I'd advise installing this patch.
    >>
    >> That's what I plan to do.
    >>
    >> --
    >>
    >> "Alan" <> wrote in message
    >> news:...
    >> > Here's a News Article carried today by the BBC at
    >> > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    >> >
    >> > Serious security flaw found in IE
    >> >
    >> > Users of Microsoft's Internet Explorer are being urged by experts to
    >> > switch to a rival until a serious security flaw has been fixed.
    >> >
    >> > The flaw in Microsoft's Internet Explorer could allow criminals to take
    >> > control of people's computers and steal their passwords, internet
    >> > experts
    >> > say.
    >> >
    >> > Microsoft urged people to be vigilant while it investigated and
    >> > prepared
    >> > an emergency patch to resolve it.
    >> >
    >> > Internet Explorer is used by the vast majority of the world's computer
    >> > users.
    >> >
    >> >
    >> > "Microsoft is continuing its investigation of public reports of attacks
    >> > against a new vulnerability in Internet Explorer," said the firm in a
    >> > security advisory alert about the flaw.
    >> >
    >> > Microsoft says it has detected attacks against IE 7.0 but said the
    >> > "underlying vulnerability" was present in all versions of the browser.
    >> >
    >> > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
    >> > vulnerable
    >> > to the flaw Microsoft has identified.
    >> >
    >> > Browser bait
    >> >
    >> > "In this case, hackers found the hole before Microsoft did," said Rick
    >> > Ferguson, senior security advisor at Trend Micro. "This is never a good
    >> > thing."
    >> >
    >> > As many as 10,000 websites have been compromised since the
    >> > vulnerability
    >> > was discovered, he said.
    >> >
    >> > "What we've seen from the exploit so far is it stealing game passwords,
    >> > but it's inevitable that it will be adapted by criminals," he said.
    >> > "It's
    >> > just a question of modifying the payload the trojan installs."
    >> >
    >> >
    >> > Said Mr Ferguson: "If users can find an alternative browser, then
    >> > that's
    >> > good mitigation against the threat."
    >> >
    >> > But Microsoft counselled against taking such action.
    >> >
    >> > "I cannot recommend people switch due to this one flaw," said John
    >> > Curran,
    >> > head of Microsoft UK's Windows group.
    >> >
    >> > He added: "We're trying to get this resolved as soon as possible.
    >> >
    >> > "At present, this exploit only seems to affect 0.02% of internet
    >> > sites,"
    >> > said Mr Curran. "In terms of vulnerability, it only seems to be
    >> > affecting
    >> > IE7 users at the moment, but could well encompass other versions in
    >> > time."
    >> >
    >> > Richard Cox, chief information officer of anti-spam body The Spamhaus
    >> > Project and an expert on privacy and cyber security, echoed Trend
    >> > Micro's
    >> > warning.
    >> >
    >> > "It won't be long before someone reverse engineers this exploit for
    >> > more
    >> > fraudulent purposes. Trend Mico's advice [of switching to an
    >> > alternative
    >> > web browser] is very sensible," he said.
    >> >
    >> > PC Pro magazine's security editor, Darien Graham-Smith, said that there
    >> > was a virtual arms race going on, with hackers always on the look out
    >> > for
    >> > new vulnerabilities.
    >> >
    >> > "The message needs to get out that this malicious code can be planted
    >> > on
    >> > any web site, so simple careful browsing isn't enough."
    >> >
    >> > "It's a shame Microsoft have not been able to fix this more quickly,
    >> > but
    >> > letting people know about this flaw was the right thing to do. If you
    >> > keep
    >> > flaws like this quiet, people are put at risk without knowing it."
    >> >
    >> > "Every browser is susceptible to vulnerabilities from time to time.
    >> > It's
    >> > fine to say 'don't use Internet Explorer' for now, but other browsers
    >> > may
    >> > well find themselves in a similar situation," he added.
    >> >
    >> >
    >> >

    >>
    >>
     
    Bill Sanderson, Dec 17, 2008
    #16
  17. I think I'm going to need to read more to say. My recollection is that the
    undoing is a bit more complex than the original change.

    I suspect that the answer is that you will need to undo that change in order
    to restore full functionality--but whether or not you need that
    functionality I'm unsure, nor am I sure what symptom you would see should
    you in the future hit something that needed the functionality, but was
    failing because of the permissions change.

    which is a long-winded way of saying I dunno... yet.

    --

    "Anonymous Bob" <> wrote in message
    news:%...
    >
    > "Bill Sanderson" <> wrote in message
    > news:%...
    >> A patch for this will be issued tomorrow, as others in this thead have

    > noted
    >> (oops--today!)
    >>
    >> I'd advise installing this patch.
    >>
    >> That's what I plan to do.

    >
    > Good morning, Bill.
    >
    > I have made this fix:
    > cacls "Program Files\Common Files\System\Ole DB\oledb32.dll" /E /P
    > everyone:N
    > as per:
    > http://www.microsoft.com/technet/security/advisory/961051.mspx
    >
    > Is there any need to undo that?
    >
    >
     
    Bill Sanderson, Dec 17, 2008
    #17
  18. Here's an example of the impact of one of the work-arounds:

    http://isc.sans.org/diary.html?storyid=5503&rss

    I saw this on one machine I used yesterday. I need to speak to the usual
    user of that system and find out why I saw that symptom--he's a very
    non-technical person, but somebody might well have told him this was a good
    thing to do.


    --

    "Anonymous Bob" <> wrote in message
    news:%...
    >
    > "Bill Sanderson" <> wrote in message
    > news:%...
    >> A patch for this will be issued tomorrow, as others in this thead have

    > noted
    >> (oops--today!)
    >>
    >> I'd advise installing this patch.
    >>
    >> That's what I plan to do.

    >
    > Good morning, Bill.
    >
    > I have made this fix:
    > cacls "Program Files\Common Files\System\Ole DB\oledb32.dll" /E /P
    > everyone:N
    > as per:
    > http://www.microsoft.com/technet/security/advisory/961051.mspx
    >
    > Is there any need to undo that?
    >
    >
     
    Bill Sanderson, Dec 17, 2008
    #18
  19. Alan

    Stu Guest

    Great stuff! I have to admit hearing about it a few days back thru some `Non
    Microsoft employees in the IT field` I know over here. BUT like most rumours
    I tend to be slightly skeptical until someone convinces me it is time to
    seriously `sit up in class` and really take notice time. I feel its a
    delicate balance between unecessary scarmongering and making people aware of
    what they should know until there is a conclusive fix or work around if
    possible - as you suggest in your post.

    Lets be careful out there. HSB.

    Stu

    "Bill Sanderson" wrote:

    > I managed to not broadcast this issue to the users I support--but several
    > people either asked about it or sent me information about the issue to make
    > sure I knew about it.
    >
    > I wasn't yet ready to put into effect the work-arounds Microsoft has
    > supplied, given my understanding of the extent of the risk--and I see no
    > point in creating fear and doubt without a clear set of actions to
    > prescribe.
    >
    > I did write everyone this morning asking that they apply today's patch as
    > soon as it is convenient for them, and I'll be doing that manually on
    > systems I can reach when it is available.
    >
    > This was a close call--the code to exploit the vulnerability was publicly
    > available since December 10th--meaning that anyone could pick it up and make
    > use of it. Fortunately, it required that you visit a web site to be
    > infected--it isn't something that can directly infect from an email message.
    >
    > There were some innocent sites that were hacked to distribute this malicious
    > code--which is a good part of where the real risk lies for users who don't
    > frequent porn sites.
    >
    > I doubt that my users were making use of the features of Internet Explorer
    > that would be disabled by the simpler work-arounds for this exploit, but I'm
    > not certain of that, and did't want to have to fix this twice--once via a
    > work-around and then need to reverse that and install the final patch.
    >
    > I'm glad they were able to produce a patch quickly.
    >
    > --
    >
    > "Stu" <> wrote in message
    > news:...
    > > Panic over Bill? You know, maybe I`m too laid back with these security
    > > issues. I can never understand why there is this tendency for a `knee
    > > jerk`
    > > reaction with associated buzz on these NGs - like bees which have just
    > > been
    > > awoken from their hives. Everything buzzing around (deliberating and
    > > speculating) while someone works quietly in the background resolving the
    > > issue. Perhaps there are times when ignorance is bliss ;;))
    > >
    > > Stu
    > >
    > > "Bill Sanderson" wrote:
    > >
    > >> A patch for this will be issued tomorrow, as others in this thead have
    > >> noted
    > >> (oops--today!)
    > >>
    > >> I'd advise installing this patch.
    > >>
    > >> That's what I plan to do.
    > >>
    > >> --
    > >>
    > >> "Alan" <> wrote in message
    > >> news:...
    > >> > Here's a News Article carried today by the BBC at
    > >> > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    > >> >
    > >> > Serious security flaw found in IE
    > >> >
    > >> > Users of Microsoft's Internet Explorer are being urged by experts to
    > >> > switch to a rival until a serious security flaw has been fixed.
    > >> >
    > >> > The flaw in Microsoft's Internet Explorer could allow criminals to take
    > >> > control of people's computers and steal their passwords, internet
    > >> > experts
    > >> > say.
    > >> >
    > >> > Microsoft urged people to be vigilant while it investigated and
    > >> > prepared
    > >> > an emergency patch to resolve it.
    > >> >
    > >> > Internet Explorer is used by the vast majority of the world's computer
    > >> > users.
    > >> >
    > >> >
    > >> > "Microsoft is continuing its investigation of public reports of attacks
    > >> > against a new vulnerability in Internet Explorer," said the firm in a
    > >> > security advisory alert about the flaw.
    > >> >
    > >> > Microsoft says it has detected attacks against IE 7.0 but said the
    > >> > "underlying vulnerability" was present in all versions of the browser.
    > >> >
    > >> > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
    > >> > vulnerable
    > >> > to the flaw Microsoft has identified.
    > >> >
    > >> > Browser bait
    > >> >
    > >> > "In this case, hackers found the hole before Microsoft did," said Rick
    > >> > Ferguson, senior security advisor at Trend Micro. "This is never a good
    > >> > thing."
    > >> >
    > >> > As many as 10,000 websites have been compromised since the
    > >> > vulnerability
    > >> > was discovered, he said.
    > >> >
    > >> > "What we've seen from the exploit so far is it stealing game passwords,
    > >> > but it's inevitable that it will be adapted by criminals," he said.
    > >> > "It's
    > >> > just a question of modifying the payload the trojan installs."
    > >> >
    > >> >
    > >> > Said Mr Ferguson: "If users can find an alternative browser, then
    > >> > that's
    > >> > good mitigation against the threat."
    > >> >
    > >> > But Microsoft counselled against taking such action.
    > >> >
    > >> > "I cannot recommend people switch due to this one flaw," said John
    > >> > Curran,
    > >> > head of Microsoft UK's Windows group.
    > >> >
    > >> > He added: "We're trying to get this resolved as soon as possible.
    > >> >
    > >> > "At present, this exploit only seems to affect 0.02% of internet
    > >> > sites,"
    > >> > said Mr Curran. "In terms of vulnerability, it only seems to be
    > >> > affecting
    > >> > IE7 users at the moment, but could well encompass other versions in
    > >> > time."
    > >> >
    > >> > Richard Cox, chief information officer of anti-spam body The Spamhaus
    > >> > Project and an expert on privacy and cyber security, echoed Trend
    > >> > Micro's
    > >> > warning.
    > >> >
    > >> > "It won't be long before someone reverse engineers this exploit for
    > >> > more
    > >> > fraudulent purposes. Trend Mico's advice [of switching to an
    > >> > alternative
    > >> > web browser] is very sensible," he said.
    > >> >
    > >> > PC Pro magazine's security editor, Darien Graham-Smith, said that there
    > >> > was a virtual arms race going on, with hackers always on the look out
    > >> > for
    > >> > new vulnerabilities.
    > >> >
    > >> > "The message needs to get out that this malicious code can be planted
    > >> > on
    > >> > any web site, so simple careful browsing isn't enough."
    > >> >
    > >> > "It's a shame Microsoft have not been able to fix this more quickly,
    > >> > but
    > >> > letting people know about this flaw was the right thing to do. If you
    > >> > keep
    > >> > flaws like this quiet, people are put at risk without knowing it."
    > >> >
    > >> > "Every browser is susceptible to vulnerabilities from time to time.
    > >> > It's
    > >> > fine to say 'don't use Internet Explorer' for now, but other browsers
    > >> > may
    > >> > well find themselves in a similar situation," he added.
    > >> >
    > >> >
    > >> >
    > >>
    > >>

    >
    >
     
    Stu, Dec 17, 2008
    #19
  20. Alan

    Stu Guest

    Let us not forget the `good` web site devlopers have a certain responsibility
    here.

    Stu

    "Bill Sanderson" wrote:

    > I managed to not broadcast this issue to the users I support--but several
    > people either asked about it or sent me information about the issue to make
    > sure I knew about it.
    >
    > I wasn't yet ready to put into effect the work-arounds Microsoft has
    > supplied, given my understanding of the extent of the risk--and I see no
    > point in creating fear and doubt without a clear set of actions to
    > prescribe.
    >
    > I did write everyone this morning asking that they apply today's patch as
    > soon as it is convenient for them, and I'll be doing that manually on
    > systems I can reach when it is available.
    >
    > This was a close call--the code to exploit the vulnerability was publicly
    > available since December 10th--meaning that anyone could pick it up and make
    > use of it. Fortunately, it required that you visit a web site to be
    > infected--it isn't something that can directly infect from an email message.
    >
    > There were some innocent sites that were hacked to distribute this malicious
    > code--which is a good part of where the real risk lies for users who don't
    > frequent porn sites.
    >
    > I doubt that my users were making use of the features of Internet Explorer
    > that would be disabled by the simpler work-arounds for this exploit, but I'm
    > not certain of that, and did't want to have to fix this twice--once via a
    > work-around and then need to reverse that and install the final patch.
    >
    > I'm glad they were able to produce a patch quickly.
    >
    > --
    >
    > "Stu" <> wrote in message
    > news:...
    > > Panic over Bill? You know, maybe I`m too laid back with these security
    > > issues. I can never understand why there is this tendency for a `knee
    > > jerk`
    > > reaction with associated buzz on these NGs - like bees which have just
    > > been
    > > awoken from their hives. Everything buzzing around (deliberating and
    > > speculating) while someone works quietly in the background resolving the
    > > issue. Perhaps there are times when ignorance is bliss ;;))
    > >
    > > Stu
    > >
    > > "Bill Sanderson" wrote:
    > >
    > >> A patch for this will be issued tomorrow, as others in this thead have
    > >> noted
    > >> (oops--today!)
    > >>
    > >> I'd advise installing this patch.
    > >>
    > >> That's what I plan to do.
    > >>
    > >> --
    > >>
    > >> "Alan" <> wrote in message
    > >> news:...
    > >> > Here's a News Article carried today by the BBC at
    > >> > http://news.bbc.co.uk/2/hi/technology/7784908.stm
    > >> >
    > >> > Serious security flaw found in IE
    > >> >
    > >> > Users of Microsoft's Internet Explorer are being urged by experts to
    > >> > switch to a rival until a serious security flaw has been fixed.
    > >> >
    > >> > The flaw in Microsoft's Internet Explorer could allow criminals to take
    > >> > control of people's computers and steal their passwords, internet
    > >> > experts
    > >> > say.
    > >> >
    > >> > Microsoft urged people to be vigilant while it investigated and
    > >> > prepared
    > >> > an emergency patch to resolve it.
    > >> >
    > >> > Internet Explorer is used by the vast majority of the world's computer
    > >> > users.
    > >> >
    > >> >
    > >> > "Microsoft is continuing its investigation of public reports of attacks
    > >> > against a new vulnerability in Internet Explorer," said the firm in a
    > >> > security advisory alert about the flaw.
    > >> >
    > >> > Microsoft says it has detected attacks against IE 7.0 but said the
    > >> > "underlying vulnerability" was present in all versions of the browser.
    > >> >
    > >> > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
    > >> > vulnerable
    > >> > to the flaw Microsoft has identified.
    > >> >
    > >> > Browser bait
    > >> >
    > >> > "In this case, hackers found the hole before Microsoft did," said Rick
    > >> > Ferguson, senior security advisor at Trend Micro. "This is never a good
    > >> > thing."
    > >> >
    > >> > As many as 10,000 websites have been compromised since the
    > >> > vulnerability
    > >> > was discovered, he said.
    > >> >
    > >> > "What we've seen from the exploit so far is it stealing game passwords,
    > >> > but it's inevitable that it will be adapted by criminals," he said.
    > >> > "It's
    > >> > just a question of modifying the payload the trojan installs."
    > >> >
    > >> >
    > >> > Said Mr Ferguson: "If users can find an alternative browser, then
    > >> > that's
    > >> > good mitigation against the threat."
    > >> >
    > >> > But Microsoft counselled against taking such action.
    > >> >
    > >> > "I cannot recommend people switch due to this one flaw," said John
    > >> > Curran,
    > >> > head of Microsoft UK's Windows group.
    > >> >
    > >> > He added: "We're trying to get this resolved as soon as possible.
    > >> >
    > >> > "At present, this exploit only seems to affect 0.02% of internet
    > >> > sites,"
    > >> > said Mr Curran. "In terms of vulnerability, it only seems to be
    > >> > affecting
    > >> > IE7 users at the moment, but could well encompass other versions in
    > >> > time."
    > >> >
    > >> > Richard Cox, chief information officer of anti-spam body The Spamhaus
    > >> > Project and an expert on privacy and cyber security, echoed Trend
    > >> > Micro's
    > >> > warning.
    > >> >
    > >> > "It won't be long before someone reverse engineers this exploit for
    > >> > more
    > >> > fraudulent purposes. Trend Mico's advice [of switching to an
    > >> > alternative
    > >> > web browser] is very sensible," he said.
    > >> >
    > >> > PC Pro magazine's security editor, Darien Graham-Smith, said that there
    > >> > was a virtual arms race going on, with hackers always on the look out
    > >> > for
    > >> > new vulnerabilities.
    > >> >
    > >> > "The message needs to get out that this malicious code can be planted
    > >> > on
    > >> > any web site, so simple careful browsing isn't enough."
    > >> >
    > >> > "It's a shame Microsoft have not been able to fix this more quickly,
    > >> > but
    > >> > letting people know about this flaw was the right thing to do. If you
    > >> > keep
    > >> > flaws like this quiet, people are put at risk without knowing it."
    > >> >
    > >> > "Every browser is susceptible to vulnerabilities from time to time.
    > >> > It's
    > >> > fine to say 'don't use Internet Explorer' for now, but other browsers
    > >> > may
    > >> > well find themselves in a similar situation," he added.
    > >> >
    > >> >
    > >> >
    > >>
    > >>

    >
    >
     
    Stu, Dec 17, 2008
    #20
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ranee

    flaw

    ranee, Jan 10, 2005, in forum: Spyware Discussion
    Replies:
    1
    Views:
    533
    Guest
    Jan 10, 2005
  2. Dick Grant

    possible flaw in spyware

    Dick Grant, Mar 2, 2005, in forum: Spyware Discussion
    Replies:
    9
    Views:
    158
    Guest
    Mar 4, 2005
  3. Dan

    Current directory flaw

    Dan, Mar 7, 2005, in forum: Spyware Discussion
    Replies:
    1
    Views:
    154
    Bill Sanderson
    Mar 7, 2005
  4. Guest

    Is this flaw: MSAS not IE trusted site aware

    Guest, May 2, 2005, in forum: Spyware Discussion
    Replies:
    1
    Views:
    159
    Andre Da Costa
    May 2, 2005
  5. Guest
    Replies:
    0
    Views:
    666
    Guest
    Feb 18, 2006
Loading...

Share This Page