Serious security flaw found in IE

[Bill Sanderson]

I think you are right--you must have been seeing the revised advisory, which
has virtually no content, and I, using your link, happened to catch the
original.

There is an extensive workaround section in the new vulnerabilty KB


http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

However, at least for the one I ran into--this set of workarounds appears to
be DIFFERENT from those that were in the advisory.

The code for the .REG file that I used to reverse the issue I saw is no
longer there, if I've read the comparable section. They've changed the
workaround to involve saving a backup .REG file before implementing the
workaround and then using that file to reverse it. I'm sure this is a
better method--but since nobody did that on my system. I would have been up
a creek. I think I will write this up.

--

 

[Bill Sanderson]

Hmm - I'd seen that before, but it isn't where I got my reversal
instructions--my machine was hobbled with the "xml island" fix--and the
reversal code I used is not in there.

--

 

[Bill Sanderson]

1-866-pcsafety...

--

Well...that didn't work!

From scesrv.log:
"----Configure File Security...

File security configuration completed with error."

What's that security phone number you like to give?
;-)

 

[Anonymous Bob]

I think you are right--you must have been seeing the revised advisory, which
has virtually no content, and I, using your link, happened to catch the
original.

There is an extensive workaround section in the new vulnerabilty KB


http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

However, at least for the one I ran into--this set of workarounds appears to
be DIFFERENT from those that were in the advisory.

The code for the .REG file that I used to reverse the issue I saw is no
longer there, if I've read the comparable section. They've changed the
workaround to involve saving a backup .REG file before implementing the
workaround and then using that file to reverse it. I'm sure this is a
better method--but since nobody did that on my system. I would have been up
a creek. I think I will write this up.

I called the pc safety number...twice...I got disconnected the first time
just as we were going to start an interactive session.

The impression I got was that acl lists are outside of their area of
training and expertise. They were no help.

I think, though I'm not certain, that there may be no need to undo the
workaround and perhaps that's why it fails. The failure message is not
informative.

As to the Word97/wordpad issue that Gene mentioned above, I'm entirely
unsure about that. The workaround there appears to be unrelated to
oledb32.dll.

Let me know if you come up with anything.

TIA,
Bob Vanderveen

 

[Pat Willener]

Try it with IE Tab: https://addons.mozilla.org/en-US/firefox/addon/1419

Really? Last time I tried WU pdate thru Firefox many months ago I got
something like this:

"Thank you for your interest in obtaining updates from our site.

To use this site, you must be running Microsoft Internet Explorer 5 or later.

To upgrade to the latest version of the browser, go to the Internet Explorer
Downloads website.

If you prefer to use a different web browser, you can obtain updates from
the Microsoft Download Center or you can stay up to date with the latest
critical and security updates by using Automatic Updates. To turn on
Automatic Updates:

1. Click Start, and then click Control Panel.
2. Depending on which Control Panel view you use, Classic or Category, do
one of the following:
* Click System, and then click the Automatic Updates tab.
* Click Performance and Maintenance, click System, and then click
the Automatic Updates tab.
3. Click the option that you want. Make sure Automatic Updates is not
turned off.

Didn`t see an `IE tab add on` either.

Stu

Why? I always run Microsoft Update on Firefox. (IE Tab add-on may be
required.)

I use firefox exclusivity except for Windows updates
I will wait for tomorrow to get the patch
and my clients only use firefox too
robin


Here's a News Article carried today by the BBC at
http://news.bbc.co.uk/2/hi/technology/7784908.stm

Serious security flaw found in IE

Users of Microsoft's Internet Explorer are being urged by experts to
switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals to take
control of people's computers and steal their passwords, internet experts
say.

Microsoft urged people to be vigilant while it investigated and prepared
an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's computer
users.


"Microsoft is continuing its investigation of public reports of attacks
against a new vulnerability in Internet Explorer," said the firm in a
security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the
"underlying vulnerability" was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said Rick
Ferguson, senior security advisor at Trend Micro. "This is never a good
thing."

As many as 10,000 websites have been compromised since the vulnerability
was discovered, he said.

"What we've seen from the exploit so far is it stealing game passwords,
but it's inevitable that it will be adapted by criminals," he said. "It's
just a question of modifying the payload the trojan installs."


Said Mr Ferguson: "If users can find an alternative browser, then that's
good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John Curran,
head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet sites,"
said Mr Curran. "In terms of vulnerability, it only seems to be affecting
IE7 users at the moment, but could well encompass other versions in time."

Richard Cox, chief information officer of anti-spam body The Spamhaus
Project and an expert on privacy and cyber security, echoed Trend Micro's
warning.

"It won't be long before someone reverse engineers this exploit for more
fraudulent purposes. Trend Mico's advice [of switching to an alternative
web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that there
was a virtual arms race going on, with hackers always on the look out for
new vulnerabilities.

"The message needs to get out that this malicious code can be planted on
any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more quickly, but
letting people know about this flaw was the right thing to do. If you keep
flaws like this quiet, people are put at risk without knowing it."

"Every browser is susceptible to vulnerabilities from time to time. It's
fine to say 'don't use Internet Explorer' for now, but other browsers may
well find themselves in a similar situation," he added.

 

[gene]

I think you are right--you must have been seeing the revised advisory, which
has virtually no content, and I, using your link, happened to catch the
original.

There is an extensive workaround section in the new vulnerabilty KB
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

However, at least for the one I ran into--this set of workarounds appears to
be DIFFERENT from those that were in the advisory.

The code for the .REG file that I used to reverse the issue I saw is no
longer there, if I've read the comparable section. They've changed the
workaround to involve saving a backup .REG file before implementing the
workaround and then using that file to reverse it. I'm sure this is a
better method--but since nobody did that on my system. I would have been up
a creek. I think I will write this up.

Bill, thanks for writing it up. There've got to be some fair number of
people who are wondering what happened to the workarounds they
followed. However, I don't see anything labeled workaround or similar
on the page you linked, up front or within the sections.

Gene

 

[Alan]

Okay, Eastern time zone, the same as me here in Boston.

When you first mentioned a 4 hour difference I thought you must have lived
in the Atlantic Time Zone.

East coast US--same as new york city.

I figured out what was going on, besides my fuzzy math about how many
hours there are between me and Redmond.

There either is not a patch for my particular combination of OS and IE, or
it hasn't been distributed yet.

I'm running the public beta of IE8 on the public beta of Vista Service
Pack 2. An MVP is checking on whether there should be such a patch--there
is in some other IE8 instances--but if there is one, I have not seen it.

Consequently I was looking the wrong place for a patch--when I went and
looked on the server, it was there!

--

Bill,

Are you in the Atlantic Time Zone?

Alan

The web "meeting" to talk about it is scheduled for 1 pacific time,
which is 5 our time? It wouldn't surprise me if it came out quite late
in the day. I have just checked in Vista and at the MSRC blog and seen
nothing yet.

so where is this patch? I have not gotten it yet
robin

Folks using these work-arounds should be aware that at least one of
them will break Outlook Web Access, which may be of significance to
anyone in an office using Small Business Server, or in larger networks
using Exchange and Outlook as well.

I recommend reversing these work-arounds prior to applying todays
patch--but I haven't yet read what Microsoft's advice is about this.


I applied the work arounds recommended in the advisory.
Should work until:
http://blogs.technet.com/msrc/archi...on-for-december-2008-out-of-band-release.aspx
Microsoft Security Bulletin Advance Notification for December 2008
This is an advance notification of an out-of-band security bulletin
that
Microsoft is intending to release on December 17, 2008.
Source:
http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx

You should subscribe to a security feed or alert from Microsoft,
then you won't have to wait for someone to else to publish it.
I get this feed http://blogs.technet.com/msrc/default.aspx

mae

| Here is the official notification from Microsoft which was first
published
| on December 10, 2008 and updated on December 15:
| http://www.microsoft.com/technet/security/advisory/961051.mspx
|
| Alan
|
| | > Here's a News Article carried today by the BBC at
| > http://news.bbc.co.uk/2/hi/technology/7784908.stm
| >
| > Serious security flaw found in IE
| >
| > Users of Microsoft's Internet Explorer are being urged by experts
to
| > switch to a rival until a serious security flaw has been fixed.
| >
| > The flaw in Microsoft's Internet Explorer could allow criminals
to take
| > control of people's computers and steal their passwords, internet
experts
| > say.
| >
| > Microsoft urged people to be vigilant while it investigated and
prepared
| > an emergency patch to resolve it.
| >
| > Internet Explorer is used by the vast majority of the world's
computer
| > users.
| >
| >
| > "Microsoft is continuing its investigation of public reports of
attacks
| > against a new vulnerability in Internet Explorer," said the firm
in a
| > security advisory alert about the flaw.
| >
| > Microsoft says it has detected attacks against IE 7.0 but said
the
| > "underlying vulnerability" was present in all versions of the
browser.
| >
| > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
| > to the flaw Microsoft has identified.
| >
| > Browser bait
| >
| > "In this case, hackers found the hole before Microsoft did," said
Rick
| > Ferguson, senior security advisor at Trend Micro. "This is never
a good
| > thing."
| >
| > As many as 10,000 websites have been compromised since the
vulnerability
| > was discovered, he said.
| >
| > "What we've seen from the exploit so far is it stealing game
passwords,
| > but it's inevitable that it will be adapted by criminals," he
said.
"It's
| > just a question of modifying the payload the trojan installs."
| >
| >
| > Said Mr Ferguson: "If users can find an alternative browser, then
that's
| > good mitigation against the threat."
| >
| > But Microsoft counselled against taking such action.
| >
| > "I cannot recommend people switch due to this one flaw," said
John
Curran,
| > head of Microsoft UK's Windows group.
| >
| > He added: "We're trying to get this resolved as soon as possible.
| >
| > "At present, this exploit only seems to affect 0.02% of internet
sites,"
| > said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
| > IE7 users at the moment, but could well encompass other versions
in
time."
| >
| > Richard Cox, chief information officer of anti-spam body The
Spamhaus
| > Project and an expert on privacy and cyber security, echoed Trend
Micro's
| > warning.
| >
| > "It won't be long before someone reverse engineers this exploit
for more
| > fraudulent purposes. Trend Mico's advice [of switching to an
alternative
| > web browser] is very sensible," he said.
| >
| > PC Pro magazine's security editor, Darien Graham-Smith, said that
there
| > was a virtual arms race going on, with hackers always on the look
out
for
| > new vulnerabilities.
| >
| > "The message needs to get out that this malicious code can be
planted on
| > any web site, so simple careful browsing isn't enough."
| >
| > "It's a shame Microsoft have not been able to fix this more
quickly, but
| > letting people know about this flaw was the right thing to do. If
you
keep
| > flaws like this quiet, people are put at risk without knowing
it."
| >
| > "Every browser is susceptible to vulnerabilities from time to
time. It's
| > fine to say 'don't use Internet Explorer' for now, but other
browsers
may
| > well find themselves in a similar situation," he added.
| >
| >
| >
|
|

 

[Bill Sanderson]

No, just not thinking too clearly.

I've now found that there is no patch for my combination of IE version and
beta OS service pack. The best advice is to revert one of the two beta's
and so I've ditched IE8 and am running on patched IE7 for the time being.

--

Okay, Eastern time zone, the same as me here in Boston.

When you first mentioned a 4 hour difference I thought you must have lived
in the Atlantic Time Zone.

East coast US--same as new york city.

I figured out what was going on, besides my fuzzy math about how many
hours there are between me and Redmond.

There either is not a patch for my particular combination of OS and IE,
or it hasn't been distributed yet.

I'm running the public beta of IE8 on the public beta of Vista Service
Pack 2. An MVP is checking on whether there should be such a
patch--there is in some other IE8 instances--but if there is one, I have
not seen it.

Consequently I was looking the wrong place for a patch--when I went and
looked on the server, it was there!

--

Bill,

Are you in the Atlantic Time Zone?

Alan

The web "meeting" to talk about it is scheduled for 1 pacific time,
which is 5 our time? It wouldn't surprise me if it came out quite late
in the day. I have just checked in Vista and at the MSRC blog and seen
nothing yet.

so where is this patch? I have not gotten it yet
robin

Folks using these work-arounds should be aware that at least one of
them will break Outlook Web Access, which may be of significance to
anyone in an office using Small Business Server, or in larger
networks using Exchange and Outlook as well.

I recommend reversing these work-arounds prior to applying todays
patch--but I haven't yet read what Microsoft's advice is about this.


I applied the work arounds recommended in the advisory.
Should work until:
http://blogs.technet.com/msrc/archi...on-for-december-2008-out-of-band-release.aspx
Microsoft Security Bulletin Advance Notification for December 2008
This is an advance notification of an out-of-band security bulletin
that
Microsoft is intending to release on December 17, 2008.
Source:
http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx

You should subscribe to a security feed or alert from Microsoft,
then you won't have to wait for someone to else to publish it.
I get this feed http://blogs.technet.com/msrc/default.aspx

mae

| Here is the official notification from Microsoft which was first
published
| on December 10, 2008 and updated on December 15:
| http://www.microsoft.com/technet/security/advisory/961051.mspx
|
| Alan
|
| | > Here's a News Article carried today by the BBC at
| > http://news.bbc.co.uk/2/hi/technology/7784908.stm
| >
| > Serious security flaw found in IE
| >
| > Users of Microsoft's Internet Explorer are being urged by
experts to
| > switch to a rival until a serious security flaw has been fixed.
| >
| > The flaw in Microsoft's Internet Explorer could allow criminals
to take
| > control of people's computers and steal their passwords,
internet
experts
| > say.
| >
| > Microsoft urged people to be vigilant while it investigated and
prepared
| > an emergency patch to resolve it.
| >
| > Internet Explorer is used by the vast majority of the world's
computer
| > users.
| >
| >
| > "Microsoft is continuing its investigation of public reports of
attacks
| > against a new vulnerability in Internet Explorer," said the firm
in a
| > security advisory alert about the flaw.
| >
| > Microsoft says it has detected attacks against IE 7.0 but said
the
| > "underlying vulnerability" was present in all versions of the
browser.
| >
| > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
| > to the flaw Microsoft has identified.
| >
| > Browser bait
| >
| > "In this case, hackers found the hole before Microsoft did,"
said Rick
| > Ferguson, senior security advisor at Trend Micro. "This is never
a good
| > thing."
| >
| > As many as 10,000 websites have been compromised since the
vulnerability
| > was discovered, he said.
| >
| > "What we've seen from the exploit so far is it stealing game
passwords,
| > but it's inevitable that it will be adapted by criminals," he
said.
"It's
| > just a question of modifying the payload the trojan installs."
| >
| >
| > Said Mr Ferguson: "If users can find an alternative browser,
then that's
| > good mitigation against the threat."
| >
| > But Microsoft counselled against taking such action.
| >
| > "I cannot recommend people switch due to this one flaw," said
John
Curran,
| > head of Microsoft UK's Windows group.
| >
| > He added: "We're trying to get this resolved as soon as
possible.
| >
| > "At present, this exploit only seems to affect 0.02% of internet
sites,"
| > said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
| > IE7 users at the moment, but could well encompass other versions
in
time."
| >
| > Richard Cox, chief information officer of anti-spam body The
Spamhaus
| > Project and an expert on privacy and cyber security, echoed
Trend
Micro's
| > warning.
| >
| > "It won't be long before someone reverse engineers this exploit
for more
| > fraudulent purposes. Trend Mico's advice [of switching to an
alternative
| > web browser] is very sensible," he said.
| >
| > PC Pro magazine's security editor, Darien Graham-Smith, said
that there
| > was a virtual arms race going on, with hackers always on the
look out
for
| > new vulnerabilities.
| >
| > "The message needs to get out that this malicious code can be
planted on
| > any web site, so simple careful browsing isn't enough."
| >
| > "It's a shame Microsoft have not been able to fix this more
quickly, but
| > letting people know about this flaw was the right thing to do.
If you
keep
| > flaws like this quiet, people are put at risk without knowing
it."
| >
| > "Every browser is susceptible to vulnerabilities from time to
time. It's
| > fine to say 'don't use Internet Explorer' for now, but other
browsers
may
| > well find themselves in a similar situation," he added.
| >
| >
| >
|
|

 

[Stu]

Many thanks for the link Pat

Stu

Try it with IE Tab: https://addons.mozilla.org/en-US/firefox/addon/1419

Really? Last time I tried WU pdate thru Firefox many months ago I got
something like this:

"Thank you for your interest in obtaining updates from our site.

To use this site, you must be running Microsoft Internet Explorer 5 or later.

To upgrade to the latest version of the browser, go to the Internet Explorer
Downloads website.

If you prefer to use a different web browser, you can obtain updates from
the Microsoft Download Center or you can stay up to date with the latest
critical and security updates by using Automatic Updates. To turn on
Automatic Updates:

1. Click Start, and then click Control Panel.
2. Depending on which Control Panel view you use, Classic or Category, do
one of the following:
* Click System, and then click the Automatic Updates tab.
* Click Performance and Maintenance, click System, and then click
the Automatic Updates tab.
3. Click the option that you want. Make sure Automatic Updates is not
turned off.

Didn`t see an `IE tab add on` either.

Stu

Why? I always run Microsoft Update on Firefox. (IE Tab add-on may be
required.)

robinb wrote:
I use firefox exclusivity except for Windows updates
I will wait for tomorrow to get the patch
and my clients only use firefox too
robin


Here's a News Article carried today by the BBC at
http://news.bbc.co.uk/2/hi/technology/7784908.stm

Serious security flaw found in IE

Users of Microsoft's Internet Explorer are being urged by experts to
switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals to take
control of people's computers and steal their passwords, internet experts
say.

Microsoft urged people to be vigilant while it investigated and prepared
an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's computer
users.


"Microsoft is continuing its investigation of public reports of attacks
against a new vulnerability in Internet Explorer," said the firm in a
security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the
"underlying vulnerability" was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable
to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said Rick
Ferguson, senior security advisor at Trend Micro. "This is never a good
thing."

As many as 10,000 websites have been compromised since the vulnerability
was discovered, he said.

"What we've seen from the exploit so far is it stealing game passwords,
but it's inevitable that it will be adapted by criminals," he said. "It's
just a question of modifying the payload the trojan installs."


Said Mr Ferguson: "If users can find an alternative browser, then that's
good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John Curran,
head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet sites,"
said Mr Curran. "In terms of vulnerability, it only seems to be affecting
IE7 users at the moment, but could well encompass other versions in time."

Richard Cox, chief information officer of anti-spam body The Spamhaus
Project and an expert on privacy and cyber security, echoed Trend Micro's
warning.

"It won't be long before someone reverse engineers this exploit for more
fraudulent purposes. Trend Mico's advice [of switching to an alternative
web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that there
was a virtual arms race going on, with hackers always on the look out for
new vulnerabilities.

"The message needs to get out that this malicious code can be planted on
any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more quickly, but
letting people know about this flaw was the right thing to do. If you keep
flaws like this quiet, people are put at risk without knowing it."

"Every browser is susceptible to vulnerabilities from time to time. It's
fine to say 'don't use Internet Explorer' for now, but other browsers may
well find themselves in a similar situation," he added.

 

[Stu]

So that is where it could all fall down? That begs the question of staff
training which will invoke awareness - not to mention education. Its all very
well guys `like yourself ` taking a professional approach to Internet
Security` but if the training of admins and floor level staff is not evident
in that particular organisation? Time to wonder. Are there situations when
you feel like you are walking uphill with a 60lb back pack?

Stu

They do indeed. Although it is appropriate to blame the folks who hack
legitimate sites and install malware, clearly the admins of those legitimate
sites have not been doing all they could have.

(and so I say, as an admin of half a dozen such sites. It's a balancing
act--I know very little about web authoring, MySQL, or the various packages
that various developers have used over time to develop the sites I have
overall charge of. I try to stay on top of security issues, and I do
discuss the specific issue of SQL injection attacks with our developers just
to see how they respond. This stuff is not cut and dried--there isn't any
simple testing tool that can tell you whether or not your site is safe, as
far as I can tell--it is a question of the skills of your staff. )

Let us not forget the `good` web site devlopers have a certain
responsibility
here.

Stu

I managed to not broadcast this issue to the users I support--but several
people either asked about it or sent me information about the issue to
make
sure I knew about it.

I wasn't yet ready to put into effect the work-arounds Microsoft has
supplied, given my understanding of the extent of the risk--and I see no
point in creating fear and doubt without a clear set of actions to
prescribe.

I did write everyone this morning asking that they apply today's patch as
soon as it is convenient for them, and I'll be doing that manually on
systems I can reach when it is available.

This was a close call--the code to exploit the vulnerability was publicly
available since December 10th--meaning that anyone could pick it up and
make
use of it. Fortunately, it required that you visit a web site to be
infected--it isn't something that can directly infect from an email
message.

There were some innocent sites that were hacked to distribute this
malicious
code--which is a good part of where the real risk lies for users who
don't
frequent porn sites.

I doubt that my users were making use of the features of Internet
Explorer
that would be disabled by the simpler work-arounds for this exploit, but
I'm
not certain of that, and did't want to have to fix this twice--once via a
work-around and then need to reverse that and install the final patch.

I'm glad they were able to produce a patch quickly.

--

Panic over Bill? You know, maybe I`m too laid back with these security
issues. I can never understand why there is this tendency for a `knee
jerk`
reaction with associated buzz on these NGs - like bees which have just
been
awoken from their hives. Everything buzzing around (deliberating and
speculating) while someone works quietly in the background resolving
the
issue. Perhaps there are times when ignorance is bliss ;)

Stu

:

A patch for this will be issued tomorrow, as others in this thead have
noted
(oops--today!)

I'd advise installing this patch.

That's what I plan to do.

--

Here's a News Article carried today by the BBC at
http://news.bbc.co.uk/2/hi/technology/7784908.stm

Serious security flaw found in IE

Users of Microsoft's Internet Explorer are being urged by experts to
switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals to
take
control of people's computers and steal their passwords, internet
experts
say.

Microsoft urged people to be vigilant while it investigated and
prepared
an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's
computer
users.


"Microsoft is continuing its investigation of public reports of
attacks
against a new vulnerability in Internet Explorer," said the firm in
a
security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the
"underlying vulnerability" was present in all versions of the
browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said
Rick
Ferguson, senior security advisor at Trend Micro. "This is never a
good
thing."

As many as 10,000 websites have been compromised since the
vulnerability
was discovered, he said.

"What we've seen from the exploit so far is it stealing game
passwords,
but it's inevitable that it will be adapted by criminals," he said.
"It's
just a question of modifying the payload the trojan installs."


Said Mr Ferguson: "If users can find an alternative browser, then
that's
good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John
Curran,
head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet
sites,"
said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
IE7 users at the moment, but could well encompass other versions in
time."

Richard Cox, chief information officer of anti-spam body The
Spamhaus
Project and an expert on privacy and cyber security, echoed Trend
Micro's
warning.

"It won't be long before someone reverse engineers this exploit for
more
fraudulent purposes. Trend Mico's advice [of switching to an
alternative
web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that
there
was a virtual arms race going on, with hackers always on the look
out
for
new vulnerabilities.

"The message needs to get out that this malicious code can be
planted
on
any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more quickly,
but
letting people know about this flaw was the right thing to do. If
you
keep
flaws like this quiet, people are put at risk without knowing it."

"Every browser is susceptible to vulnerabilities from time to time.
It's
fine to say 'don't use Internet Explorer' for now, but other
browsers
may
well find themselves in a similar situation," he added.

 

[Stu]

Robinb. Very nice lady. I don`t see it now but you have/had a signature which
makes a reference to being a `Hostage` to your computer. May I suggest
`Slave` would be a better word. Hostage seems rather radical - if you know
what I mean ! Tell me to `mind my own business ` (or butt out if you will!!)
- I have broad shoulders.

Stu

so where is this patch? I have not gotten it yet
robin

Folks using these work-arounds should be aware that at least one of them
will break Outlook Web Access, which may be of significance to anyone in
an office using Small Business Server, or in larger networks using
Exchange and Outlook as well.

I recommend reversing these work-arounds prior to applying todays
patch--but I haven't yet read what Microsoft's advice is about this.

I applied the work arounds recommended in the advisory.
Should work until:
http://blogs.technet.com/msrc/archi...on-for-december-2008-out-of-band-release.aspx
Microsoft Security Bulletin Advance Notification for December 2008
This is an advance notification of an out-of-band security bulletin that
Microsoft is intending to release on December 17, 2008.
Source: http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx

You should subscribe to a security feed or alert from Microsoft,
then you won't have to wait for someone to else to publish it.
I get this feed http://blogs.technet.com/msrc/default.aspx

mae

| Here is the official notification from Microsoft which was first
published
| on December 10, 2008 and updated on December 15:
| http://www.microsoft.com/technet/security/advisory/961051.mspx
|
| Alan
|
| | > Here's a News Article carried today by the BBC at
| > http://news.bbc.co.uk/2/hi/technology/7784908.stm
| >
| > Serious security flaw found in IE
| >
| > Users of Microsoft's Internet Explorer are being urged by experts to
| > switch to a rival until a serious security flaw has been fixed.
| >
| > The flaw in Microsoft's Internet Explorer could allow criminals to
take
| > control of people's computers and steal their passwords, internet
experts
| > say.
| >
| > Microsoft urged people to be vigilant while it investigated and
prepared
| > an emergency patch to resolve it.
| >
| > Internet Explorer is used by the vast majority of the world's
computer
| > users.
| >
| >
| > "Microsoft is continuing its investigation of public reports of
attacks
| > against a new vulnerability in Internet Explorer," said the firm in a
| > security advisory alert about the flaw.
| >
| > Microsoft says it has detected attacks against IE 7.0 but said the
| > "underlying vulnerability" was present in all versions of the
browser.
| >
| > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
| > to the flaw Microsoft has identified.
| >
| > Browser bait
| >
| > "In this case, hackers found the hole before Microsoft did," said
Rick
| > Ferguson, senior security advisor at Trend Micro. "This is never a
good
| > thing."
| >
| > As many as 10,000 websites have been compromised since the
vulnerability
| > was discovered, he said.
| >
| > "What we've seen from the exploit so far is it stealing game
passwords,
| > but it's inevitable that it will be adapted by criminals," he said.
"It's
| > just a question of modifying the payload the trojan installs."
| >
| >
| > Said Mr Ferguson: "If users can find an alternative browser, then
that's
| > good mitigation against the threat."
| >
| > But Microsoft counselled against taking such action.
| >
| > "I cannot recommend people switch due to this one flaw," said John
Curran,
| > head of Microsoft UK's Windows group.
| >
| > He added: "We're trying to get this resolved as soon as possible.
| >
| > "At present, this exploit only seems to affect 0.02% of internet
sites,"
| > said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
| > IE7 users at the moment, but could well encompass other versions in
time."
| >
| > Richard Cox, chief information officer of anti-spam body The Spamhaus
| > Project and an expert on privacy and cyber security, echoed Trend
Micro's
| > warning.
| >
| > "It won't be long before someone reverse engineers this exploit for
more
| > fraudulent purposes. Trend Mico's advice [of switching to an
alternative
| > web browser] is very sensible," he said.
| >
| > PC Pro magazine's security editor, Darien Graham-Smith, said that
there
| > was a virtual arms race going on, with hackers always on the look out
for
| > new vulnerabilities.
| >
| > "The message needs to get out that this malicious code can be planted
on
| > any web site, so simple careful browsing isn't enough."
| >
| > "It's a shame Microsoft have not been able to fix this more quickly,
but
| > letting people know about this flaw was the right thing to do. If you
keep
| > flaws like this quiet, people are put at risk without knowing it."
| >
| > "Every browser is susceptible to vulnerabilities from time to time.
It's
| > fine to say 'don't use Internet Explorer' for now, but other browsers
may
| > well find themselves in a similar situation," he added.
| >
| >
| >
|
|

 

[Bill Sanderson]

I suppose it may take a few incidents to teach an organization that the cute
web site that they can put out there for next to nothing, all done by those
amazing techies with whom we can barely communicate is in fact a major risk
of substantial embarassment or worse when things go wrong. I suspect the
vast majority of sites out there depend on contractors for the vast majority
of the technical knowledge involved--and those contractors may well have
neither the specific guidance (they aren't getting paid to watch the
changing security landscape and improve their design as needed), nor the
sense of ownership (their name isn't on the site)--that might help.

In fact, my day to day work often involves hours of keystrokes merging lists
for mailings, and every aspect of computer use from building them to
describing how to use the out of office features in Outlook. Most jobs
involve more breadth of knowledge than a given occupant may have when he
starts it--and in technical jobs--that breadth may be growing faster than
the job occupant has time to learn!

That's how I ended up in newsgroups in the first place--looking for
technical answers that weren't in the manual, and I didn't know.


--

So that is where it could all fall down? That begs the question of staff
training which will invoke awareness - not to mention education. Its all
very
well guys `like yourself ` taking a professional approach to Internet
Security` but if the training of admins and floor level staff is not
evident
in that particular organisation? Time to wonder. Are there situations when
you feel like you are walking uphill with a 60lb back pack?

Stu

They do indeed. Although it is appropriate to blame the folks who hack
legitimate sites and install malware, clearly the admins of those
legitimate
sites have not been doing all they could have.

(and so I say, as an admin of half a dozen such sites. It's a balancing
act--I know very little about web authoring, MySQL, or the various
packages
that various developers have used over time to develop the sites I have
overall charge of. I try to stay on top of security issues, and I do
discuss the specific issue of SQL injection attacks with our developers
just
to see how they respond. This stuff is not cut and dried--there isn't
any
simple testing tool that can tell you whether or not your site is safe,
as
far as I can tell--it is a question of the skills of your staff. )

Let us not forget the `good` web site devlopers have a certain
responsibility
here.

Stu

:

I managed to not broadcast this issue to the users I support--but
several
people either asked about it or sent me information about the issue to
make
sure I knew about it.

I wasn't yet ready to put into effect the work-arounds Microsoft has
supplied, given my understanding of the extent of the risk--and I see
no
point in creating fear and doubt without a clear set of actions to
prescribe.

I did write everyone this morning asking that they apply today's patch
as
soon as it is convenient for them, and I'll be doing that manually on
systems I can reach when it is available.

This was a close call--the code to exploit the vulnerability was
publicly
available since December 10th--meaning that anyone could pick it up
and
make
use of it. Fortunately, it required that you visit a web site to be
infected--it isn't something that can directly infect from an email
message.

There were some innocent sites that were hacked to distribute this
malicious
code--which is a good part of where the real risk lies for users who
don't
frequent porn sites.

I doubt that my users were making use of the features of Internet
Explorer
that would be disabled by the simpler work-arounds for this exploit,
but
I'm
not certain of that, and did't want to have to fix this twice--once
via a
work-around and then need to reverse that and install the final patch.

I'm glad they were able to produce a patch quickly.

--

Panic over Bill? You know, maybe I`m too laid back with these
security
issues. I can never understand why there is this tendency for a
`knee
jerk`
reaction with associated buzz on these NGs - like bees which have
just
been
awoken from their hives. Everything buzzing around (deliberating and
speculating) while someone works quietly in the background resolving
the
issue. Perhaps there are times when ignorance is bliss ;)

Stu

:

A patch for this will be issued tomorrow, as others in this thead
have
noted
(oops--today!)

I'd advise installing this patch.

That's what I plan to do.

--

Here's a News Article carried today by the BBC at
http://news.bbc.co.uk/2/hi/technology/7784908.stm

Serious security flaw found in IE

Users of Microsoft's Internet Explorer are being urged by experts
to
switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals
to
take
control of people's computers and steal their passwords, internet
experts
say.

Microsoft urged people to be vigilant while it investigated and
prepared
an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's
computer
users.


"Microsoft is continuing its investigation of public reports of
attacks
against a new vulnerability in Internet Explorer," said the firm
in
a
security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said
the
"underlying vulnerability" was present in all versions of the
browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said
Rick
Ferguson, senior security advisor at Trend Micro. "This is never
a
good
thing."

As many as 10,000 websites have been compromised since the
vulnerability
was discovered, he said.

"What we've seen from the exploit so far is it stealing game
passwords,
but it's inevitable that it will be adapted by criminals," he
said.
"It's
just a question of modifying the payload the trojan installs."


Said Mr Ferguson: "If users can find an alternative browser, then
that's
good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said
John
Curran,
head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet
sites,"
said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
IE7 users at the moment, but could well encompass other versions
in
time."

Richard Cox, chief information officer of anti-spam body The
Spamhaus
Project and an expert on privacy and cyber security, echoed Trend
Micro's
warning.

"It won't be long before someone reverse engineers this exploit
for
more
fraudulent purposes. Trend Mico's advice [of switching to an
alternative
web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that
there
was a virtual arms race going on, with hackers always on the look
out
for
new vulnerabilities.

"The message needs to get out that this malicious code can be
planted
on
any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more
quickly,
but
letting people know about this flaw was the right thing to do. If
you
keep
flaws like this quiet, people are put at risk without knowing
it."

"Every browser is susceptible to vulnerabilities from time to
time.
It's
fine to say 'don't use Internet Explorer' for now, but other
browsers
may
well find themselves in a similar situation," he added.

 

[Stu]

.............. "Most jobs involve more breadth of knowledge than a given
occupant may have when he starts it--and in technical jobs--that breadth may
be growing faster than the job occupant has time to learn!"

Isn`t that a fact! It must be so difficult to keep up let alone abreast of
things. At least for me its nothing more than a hobby or interest, not a
necessity born of a profession. I often feel in the world of IT todays news
is almost history before it starts out if that makes sense. Things are moving
so fast or perhaps I`m getting slower to cromprehend. As for the Newsgroups.
I have found them to be a tremendous source of information and guidance.
Definately one of the better things MS has done in my books.

Stu

I suppose it may take a few incidents to teach an organization that the cute
web site that they can put out there for next to nothing, all done by those
amazing techies with whom we can barely communicate is in fact a major risk
of substantial embarassment or worse when things go wrong. I suspect the
vast majority of sites out there depend on contractors for the vast majority
of the technical knowledge involved--and those contractors may well have
neither the specific guidance (they aren't getting paid to watch the
changing security landscape and improve their design as needed), nor the
sense of ownership (their name isn't on the site)--that might help.

In fact, my day to day work often involves hours of keystrokes merging lists
for mailings, and every aspect of computer use from building them to
describing how to use the out of office features in Outlook. Most jobs
involve more breadth of knowledge than a given occupant may have when he
starts it--and in technical jobs--that breadth may be growing faster than
the job occupant has time to learn!

That's how I ended up in newsgroups in the first place--looking for
technical answers that weren't in the manual, and I didn't know.


--

So that is where it could all fall down? That begs the question of staff
training which will invoke awareness - not to mention education. Its all
very
well guys `like yourself ` taking a professional approach to Internet
Security` but if the training of admins and floor level staff is not
evident
in that particular organisation? Time to wonder. Are there situations when
you feel like you are walking uphill with a 60lb back pack?

Stu

They do indeed. Although it is appropriate to blame the folks who hack
legitimate sites and install malware, clearly the admins of those
legitimate
sites have not been doing all they could have.

(and so I say, as an admin of half a dozen such sites. It's a balancing
act--I know very little about web authoring, MySQL, or the various
packages
that various developers have used over time to develop the sites I have
overall charge of. I try to stay on top of security issues, and I do
discuss the specific issue of SQL injection attacks with our developers
just
to see how they respond. This stuff is not cut and dried--there isn't
any
simple testing tool that can tell you whether or not your site is safe,
as
far as I can tell--it is a question of the skills of your staff. )


Let us not forget the `good` web site devlopers have a certain
responsibility
here.

Stu

:

I managed to not broadcast this issue to the users I support--but
several
people either asked about it or sent me information about the issue to
make
sure I knew about it.

I wasn't yet ready to put into effect the work-arounds Microsoft has
supplied, given my understanding of the extent of the risk--and I see
no
point in creating fear and doubt without a clear set of actions to
prescribe.

I did write everyone this morning asking that they apply today's patch
as
soon as it is convenient for them, and I'll be doing that manually on
systems I can reach when it is available.

This was a close call--the code to exploit the vulnerability was
publicly
available since December 10th--meaning that anyone could pick it up
and
make
use of it. Fortunately, it required that you visit a web site to be
infected--it isn't something that can directly infect from an email
message.

There were some innocent sites that were hacked to distribute this
malicious
code--which is a good part of where the real risk lies for users who
don't
frequent porn sites.

I doubt that my users were making use of the features of Internet
Explorer
that would be disabled by the simpler work-arounds for this exploit,
but
I'm
not certain of that, and did't want to have to fix this twice--once
via a
work-around and then need to reverse that and install the final patch.

I'm glad they were able to produce a patch quickly.

--

Panic over Bill? You know, maybe I`m too laid back with these
security
issues. I can never understand why there is this tendency for a
`knee
jerk`
reaction with associated buzz on these NGs - like bees which have
just
been
awoken from their hives. Everything buzzing around (deliberating and
speculating) while someone works quietly in the background resolving
the
issue. Perhaps there are times when ignorance is bliss ;)

Stu

:

A patch for this will be issued tomorrow, as others in this thead
have
noted
(oops--today!)

I'd advise installing this patch.

That's what I plan to do.

--

Here's a News Article carried today by the BBC at
http://news.bbc.co.uk/2/hi/technology/7784908.stm

Serious security flaw found in IE

Users of Microsoft's Internet Explorer are being urged by experts
to
switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals
to
take
control of people's computers and steal their passwords, internet
experts
say.

Microsoft urged people to be vigilant while it investigated and
prepared
an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's
computer
users.


"Microsoft is continuing its investigation of public reports of
attacks
against a new vulnerability in Internet Explorer," said the firm
in
a
security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said
the
"underlying vulnerability" was present in all versions of the
browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said
Rick
Ferguson, senior security advisor at Trend Micro. "This is never
a
good
thing."

As many as 10,000 websites have been compromised since the
vulnerability
was discovered, he said.

"What we've seen from the exploit so far is it stealing game
passwords,
but it's inevitable that it will be adapted by criminals," he
said.
"It's
just a question of modifying the payload the trojan installs."


Said Mr Ferguson: "If users can find an alternative browser, then
that's
good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said
John
Curran,
head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet
sites,"
said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
IE7 users at the moment, but could well encompass other versions
in
time."

Richard Cox, chief information officer of anti-spam body The
Spamhaus
Project and an expert on privacy and cyber security, echoed Trend
Micro's
warning.

"It won't be long before someone reverse engineers this exploit
for
more
fraudulent purposes. Trend Mico's advice [of switching to an
alternative
web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that
there
was a virtual arms race going on, with hackers always on the look
out
for
new vulnerabilities.

"The message needs to get out that this malicious code can be
planted
on
any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more
quickly,
but
letting people know about this flaw was the right thing to do. If
you
keep
flaws like this quiet, people are put at risk without knowing
it."

"Every browser is susceptible to vulnerabilities from time to
time.
It's
fine to say 'don't use Internet Explorer' for now, but other
browsers
may
well find themselves in a similar situation," he added.