Microsoft warns of serious security hole

[AliceZ]

Read the following and wonder what I should do? Does anyone know what we are
'supposed' to do?


Last update: July 7, 2009 - 6:07 AM
SAN JOSE, Calif. - Microsoft Corp. has taken the rare step of warning about
a serious computer security vulnerability it hasn't fixed yet.

The vulnerability disclosed Monday affects Internet Explorer users whose
computers run the Windows XP or Windows Server 2003 operating software.

It can allow hackers to remotely take control of victims' machines. The
victims don't need to do anything to get infected except visit a Web site
that's been hacked.

Security experts say criminals have been attacking the vulnerability for
nearly a week. Thousands of sites have been hacked to serve up malicious
software that exploits the vulnerability. People are drawn to these sites by
clicking a link in spam e-mail.
The so-called "zero day" vulnerability disclosed by Microsoft affects a part
of its software used to play video. The problem arises from the way the
software interacts with Internet Explorer, which opens a hole for hackers to
tunnel into.

Microsoft urged vulnerable users to disable the problematic part of its
software, which can be done from Microsoft's Web site, while the company
works on a "patch" — or software fix — for the problem.

Microsoft rarely departs from its practice of issuing security updates the
second Tuesday of each month. When the Redmond, Wash.-based company does
issue security reminders at other times, it's because the vulnerabilities are
very serious.

A recent example was the emergency patch Microsoft issued in October for a
vulnerability that criminals exploited to infect millions of PCs with the
Conficker worm. While initially feared as an all-powerful doomsday device,
that network of infected machines was eventually used for mundane moneymaking
schemes like sending spam and pushing fake antivirus software.

 

[Tom Willett]

Seems like the authors of this story left out a lot of relevent information,
doesn't it?

: Read the following and wonder what I should do? Does anyone know what we
are
: 'supposed' to do?
:
:
: Last update: July 7, 2009 - 6:07 AM
: SAN JOSE, Calif. - Microsoft Corp. has taken the rare step of warning
about
: a serious computer security vulnerability it hasn't fixed yet.
:
: The vulnerability disclosed Monday affects Internet Explorer users whose
: computers run the Windows XP or Windows Server 2003 operating software.
:
: It can allow hackers to remotely take control of victims' machines. The
: victims don't need to do anything to get infected except visit a Web site
: that's been hacked.
:
: Security experts say criminals have been attacking the vulnerability for
: nearly a week. Thousands of sites have been hacked to serve up malicious
: software that exploits the vulnerability. People are drawn to these sites
by
: clicking a link in spam e-mail.
: The so-called "zero day" vulnerability disclosed by Microsoft affects a
part
: of its software used to play video. The problem arises from the way the
: software interacts with Internet Explorer, which opens a hole for hackers
to
: tunnel into.
:
: Microsoft urged vulnerable users to disable the problematic part of its
: software, which can be done from Microsoft's Web site, while the company
: works on a "patch" - or software fix - for the problem.
:
: Microsoft rarely departs from its practice of issuing security updates the
: second Tuesday of each month. When the Redmond, Wash.-based company does
: issue security reminders at other times, it's because the vulnerabilities
are
: very serious.
:
: A recent example was the emergency patch Microsoft issued in October for a
: vulnerability that criminals exploited to infect millions of PCs with the
: Conficker worm. While initially feared as an all-powerful doomsday device,
: that network of infected machines was eventually used for mundane
moneymaking
: schemes like sending spam and pushing fake antivirus software.
:

 

[Michael Barthelette]

I agree. It looks like most hoaxes do in that Microsoft never releases such
information without a plan of action. Also, I haven't seen any mention of
this security hole anywhere else...

 

[Tom Willett]

There's nothing there to back up the claims, such as links to the
information supposedly posted by MS.

in message :I agree. It looks like most hoaxes do in that Microsoft never releases
such
: information without a plan of action. Also, I haven't seen any mention of
: this security hole anywhere else...
:
: "Tom Willett" wrote:
:
: > Seems like the authors of this story left out a lot of relevent
information,
: > doesn't it?
: >
: > : > : Read the following and wonder what I should do? Does anyone know what
we
: > are
: > : 'supposed' to do?
: > :
: > :
: > : Last update: July 7, 2009 - 6:07 AM
: > : SAN JOSE, Calif. - Microsoft Corp. has taken the rare step of warning
: > about
: > : a serious computer security vulnerability it hasn't fixed yet.
: > :
: > : The vulnerability disclosed Monday affects Internet Explorer users
whose
: > : computers run the Windows XP or Windows Server 2003 operating
software.
: > :
: > : It can allow hackers to remotely take control of victims' machines.
The
: > : victims don't need to do anything to get infected except visit a Web
site
: > : that's been hacked.
: > :
: > : Security experts say criminals have been attacking the vulnerability
for
: > : nearly a week. Thousands of sites have been hacked to serve up
malicious
: > : software that exploits the vulnerability. People are drawn to these
sites
: > by
: > : clicking a link in spam e-mail.
: > : The so-called "zero day" vulnerability disclosed by Microsoft affects
a
: > part
: > : of its software used to play video. The problem arises from the way
the
: > : software interacts with Internet Explorer, which opens a hole for
hackers
: > to
: > : tunnel into.
: > :
: > : Microsoft urged vulnerable users to disable the problematic part of
its
: > : software, which can be done from Microsoft's Web site, while the
company
: > : works on a "patch" - or software fix - for the problem.
: > :
: > : Microsoft rarely departs from its practice of issuing security updates
the
: > : second Tuesday of each month. When the Redmond, Wash.-based company
does
: > : issue security reminders at other times, it's because the
vulnerabilities
: > are
: > : very serious.
: > :
: > : A recent example was the emergency patch Microsoft issued in October
for a
: > : vulnerability that criminals exploited to infect millions of PCs with
the
: > : Conficker worm. While initially feared as an all-powerful doomsday
device,
: > : that network of infected machines was eventually used for mundane
: > moneymaking
: > : schemes like sending spam and pushing fake antivirus software.
: > :
: >
: >
: >

 

[MowGreen]

Microsoft Security Advisory (972890)
Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code
Execution
http://www.microsoft.com/technet/security/advisory/972890.mspx

Alice ... there is a O Day exploit of the above ActiveX control that is
currently being actively exploited.
The ActiveX control in question has *** no by-design uses for this
ActiveX Control in Internet Explorer ***
IOW, one should disable it's functionality ASAP as the control in
question has NO legitimate use. None.

This page contains a Fixit which can be run from the page or downloaded,
saved, and then applied to XP and Windows 2003 systems:

Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX
control could allow remote code execution
http://support.microsoft.com/kb/972890

There is also a Disable workaround Fixit on the same page.

I could speculate that since the ActiveX control in question has no
legitimate use that applying the Fixit will preclude having to install a
separate patch for this vulnerability BUT, the patch may be included in
a future IE Cumulative Security Update, or it may not.

IF a patch is released separately to address this vulnerability, then
the Fixit will preclude installing that *separate* patch.

However, if it is included in a Cumulative Security Update, then it may
be wise to run the Disable workaround Fixit to avoid an installation
issue with the Cumulative Sec update.


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

 

[AliceZ]

I am really new to computers and in particular this problem. I am using WinXP
sp3 on my desktop with IE7 and two of my family are using the same on both of
their notebooks.
What should we do?
We looked at the "Fix It" page and it states that if you run the "Fix It"
work-around, it should fix your problem. What problem are they referring to?

Does everyone (who is using WinXP sp3) have to run this "Fix It" work-around?

I, and all my family, are completely confused and frightened that something
might be wrong with our computers.

Can someone please help and use non-technical terms.
Thank you.
Alice

=================

 

[MowGreen]

I am really new to computers and in particular this problem. I am using WinXP
sp3 on my desktop with IE7 and two of my family are using the same on both of
their notebooks.
What should we do?
We looked at the "Fix It" page and it states that if you run the "Fix It"
work-around, it should fix your problem. What problem are they referring to?

Does everyone (who is using WinXP sp3) have to run this "Fix It" work-around?

I, and all my family, are completely confused and frightened that something
might be wrong with our computers.

Can someone please help and use non-technical terms.
Thank you.
Alice

This is as simple as I can possibly make it, Alice.

There's an Internet Explorer file that controls something. It is NEVER
for any legitimate purpose.
Some bad guys found out how to exploit a weakness in this file.

If you run the Fixit on the MS page there will be absolutely *NO* way
for the bad guys to run the file and take control of your computers.

Since the file has NO use for ANY legitimate purpose, there will be no
adverse consequences if you run the Fixit.

ALL versions of Windows XP are vulnerable to this exploit, Alice.
Tell your family and friends to run the Fixit ... ASAP.

Then there will be nothing to be worried about in regards to this
vulnerability.

Clear now ?


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

 

[AliceZ]

Thank you.
Don't know if this means anything, or not, but read the following:

#1- "Open Internet Explorer 7. #2- Choose Tools from the menu. #3- From the
resulting drop-down menu, choose Manage Add-ons, followed by Enable or
Disable Add-ons....
#4- In the Manage Add-ons window, choose Downloaded ActiveX Controls from
the Show: drop-down box. The resulting list will show every ActiveX Control
that Internet Explorer 7 has installed. If an ActiveX Control is causing the
problem you're troubleshooting, it will be one listed here."

#1- I looked in that area and do not see any Microsoft Active X entries.
Does that mean anything.
#2- Do you have WinXPsp3 and did you run the FixIt?
#3- What if we don't have the file and we run the FixIt?

 

[AliceZ]

hank you MowGreen:

What does this mean (which was on he FixIt page):

"Check whether the problem is fixed. If the problem is fixed, you are
finished with this article. If the problem is not fixed, you can contact
support (http://support.microsoft.com/contactus) ."

What problem are they referring to? I never had a 'problem.' I just read
that everyone with WinXP (sp3) should download the FixIt file and execute it.


=========

 

[Jim]

hank you MowGreen:

What does this mean (which was on he FixIt page):

"Check whether the problem is fixed. If the problem is fixed, you are
finished with this article. If the problem is not fixed, you can contact
support (http://support.microsoft.com/contactus) ."

What problem are they referring to? I never had a 'problem.' I just read
that everyone with WinXP (sp3) should download the FixIt file and execute
it.

Yes, your computer had a problem; you just didn't realize that it did.

The FixIt file added registry items which are supposed to prevent the
recently discovered security hole from existing anymore. A security hole is
a definite problem especially when no one realizes its existence.

That message is a canned page which MS adds to nearly all of its hot fixes.

By the way, you should download the removal tool because if and when MS
provides a security update for ths problem, you may need to remove the
hotfix first.

Jim
<snip>

 

[AliceZ]

Thank you Jim:

You said: "By the way, you should download the removal tool because if and
when MS provides a security update for ths problem, you may need to remove
the hotfix first."

#1- If MS did provide a security update for this problem, how would we know
and how would we know to remove the FixIt (hotfix) file that we installed?

#2- When we download the FixIt tool, do we just click on the
"MSFixIt50287.msi" to run/execute it? Will the "msi" file execute and do
"it's thing"?\

======================

 

[Jim]

Replies inline---

Thank you Jim:

You said: "By the way, you should download the removal tool because if
and
when MS provides a security update for ths problem, you may need to remove
the hotfix first."

#1- If MS did provide a security update for this problem, how would we
know
and how would we know to remove the FixIt (hotfix) file that we installed?

You would read the documentation for the update to determine what you should
do. Possibly other users need to know and have already asked.

#2- When we download the FixIt tool, do we just click on the
"MSFixIt50287.msi" to run/execute it? Will the "msi" file execute and do
"it's thing"?\

Yes. It took about 2 minutes on this computer to install the hotfix.
MSFixIt50288.msi removes the hotfix.
Jim

 

[Twayne]

Read the following and wonder what I should do? Does anyone know what
we are 'supposed' to do?


Last update: July 7, 2009 - 6:07 AM
SAN JOSE, Calif. - Microsoft Corp. has taken the rare step of warning
about a serious computer security vulnerability it hasn't fixed yet.

....

You lost part of the info somehow. Here's the link it ends up sending
you to for the workaround fix:
http://support.microsoft.com/kb/972890
There's both a fixit and remove the fix link there in case you need it:
Just read the info on the page. The fixt it workaround works perfectly
and quickly; only takes a matter of seconds. Or if you prefer, see the
manual instructions also there.

Here's the complete page that has that link in it:
http://www.microsoft.com/technet/security/advisory/972890.mspx
Lots of good links in the article.

HTH,

Twayne`

 

[Twayne]

http://www.microsoft.com/technet/security/advisory/972890.mspx


"Michael Barthelette" <Michael (e-mail address removed)>
wrote in message

 

[Twayne]

There's nothing there to back up the claims, such as links to the
information supposedly posted by MS.

That's because of the Plain Text post, plus it's incomplete. Look at:

http://www.microsoft.com/technet/security/advisory/972890.mspx

HTH,

Twayne`

 

[Twayne]

Microsoft Security Advisory (972890)
Vulnerability in Microsoft Video ActiveX Control Could Allow Remote
Code Execution
http://www.microsoft.com/technet/security/advisory/972890.mspx

Alice ... there is a O Day exploit of the above ActiveX control that
is currently being actively exploited.

No, the article specifically says that as far as they know it hasn't
been exploited - yet. It's something that was found in-house so to
speak. You can bet now it'll be exploited though, since it's been
released to the public!

HTH,

Twayne`

 

[Twayne]

This is as simple as I can possibly make it, Alice.

There's an Internet Explorer file that controls something. It is NEVER
for any legitimate purpose.
Some bad guys found out how to exploit a weakness in this file.

If you run the Fixit on the MS page there will be absolutely *NO* way
for the bad guys to run the file and take control of your computers.

Since the file has NO use for ANY legitimate purpose, there will be no
adverse consequences if you run the Fixit.

Not YET there aren't.

ALL versions of Windows XP are vulnerable to this exploit, Alice.
Tell your family and friends to run the Fixit ... ASAP.

JEEZ, the misinformation in this thread!! Let's get things accurate
here!
READ the KB; here's an excerpt:
Mitigating Factors:

. Customers who are using Windows Vista or Windows Server 2008 are
not affected because the ability to pass data to this control within
Internet Explorer has been restricted.

. By default, Internet Explorer on Windows Server 2003 and 2008
runs in a restricted mode that is known as Enhanced Security
Configuration. Enhanced Security Configuration is a group of
preconfigured settings in Internet Explorer that can reduce the
likelihood of a user or administrator downloading and running specially
crafted Web content on a server. This is a mitigating factor for Web
sites that you have not added to the Internet Explorer Trusted sites
zone. See also Managing Internet Explorer Enhanced Security
Configuration.

. By default, all supported versions of Microsoft Outlook and
Microsoft Outlook Express open HTML e-mail messages in the Restricted
sites zone. The Restricted sites zone helps mitigate attacks that could
try to exploit this vulnerability by preventing Active Scripting and
ActiveX controls from being used when reading HTML e-mail messages.
However, if a user clicks a link in an e-mail message, the user could
still be vulnerable to exploitation of this vulnerability through the
Web-based attack scenario.

. In a Web-based attack scenario, an attacker could host a Web
site that contains a Web page that is used to exploit this
vulnerability. In addition, compromised Web sites and Web sites that
accept or host user-provided content or advertisements could contain
specially crafted content that could exploit this vulnerability. In all
cases, however, an attacker would have no way to force users to visit
these Web sites. Instead, an attacker would have to persuade users to
visit the Web site, typically by getting them to click a link in an
e-mail message or Instant Messenger message that takes users to the
attacker's Web site.

. An attacker who successfully exploited this vulnerability could
gain the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less
impacted than users who operate with administrative user rights.



HTH,

Twayne`

 

[Twayne]

hank you MowGreen:

What does this mean (which was on he FixIt page):

"Check whether the problem is fixed. If the problem is fixed, you are
finished with this article. If the problem is not fixed, you can
contact support (http://support.microsoft.com/contactus) ."

Well, contact support, then. Everyone seems to have missed the fact
that originally this informaiton was NOT for every joe-blow on the
street; it was first aimed at service-level people until word leaked out
about it. They've assumed that it was done as part of a Troubleshooting
operation and that there was a problem being chased down.

You can run the fix; it'll hurt nothing and give you protection until
they can get a real fix out in an update in a few months; this is only a
workaround until the actual fix can be released. I suggest you read the
entire article so you clearly understand how important this is NOT to
most people; you almost have to ask to be infected by it.

 

[AliceZ]

Thanks Jim...

I clicked on the FixIt file and it installed in about 5 seconds.
Re your "It took about 2 minutes on this computer to install the hotfix."
Maybe you have more 'stuff' on your computer (or maybe you have Vista) and
that is why it took 2 minutes.
I also downloaded the FixIt Uninstaller. I hope we know when MS releases the
"patch/Fix" for this 'problem.'
Thanks again.
Alice

========

 

[Jim]

Thanks Jim...

I clicked on the FixIt file and it installed in about 5 seconds.
Re your "It took about 2 minutes on this computer to install the hotfix."
Maybe you have more 'stuff' on your computer (or maybe you have Vista) and
that is why it took 2 minutes.
I also downloaded the FixIt Uninstaller. I hope we know when MS releases
the
"patch/Fix" for this 'problem.'
Thanks again.
Alice

Actually, I was just guessing. Five seconds is really about 2 minutes; 2
minutes are only 1 minute and 55 seconds longer.
Jim