Microsoft to release out-of-cycle patch

From: Security Guy (securityguy_at_dslextreme.com)
Date: 07/29/04

  • Next message: Middleton, Marc A.: "ISA/VPN comparison"
    To: "'Focus-MS'" <focus-ms@securityfocus.com>
    Date: Thu, 29 Jul 2004 10:57:58 -0700
    
    

    Microsoft to release out-of-cycle patch
     
    By Bill Brenner, News Writer
    29 Jul 2004 | SearchSecurity.com

    Microsoft Corp. will veer outside its once-a-month patching cycle next week
    with a permanent fix for the security holes in Internet Explorer that were
    exploited last month during the Download.ject attack.

    The patch is in the final stages of testing and will be released "within the
    week, when it has been found to be an effective and quality fix for all
    supported versions of IE," a spokesperson for the software giant said
    Wednesday night. The spokesperson declined to elaborate further.

    Criticism over Internet Explorer's multiple flaws reached a fever pitch
    following the Download.ject attack, which targeted users of the popular Web
    browser and Internet Information Services 5.0 (IIS), both components of
    Windows. Microsoft has concluded the assault was a targeted manual attack by
    individuals or entities towards a specific server. It used compromised sites
    to append JavaScript to the bottom of Web pages. When executed, the
    JavaScript would access a file hosted on another server believed to contain
    malicious code that could affect the end user's system.

    The HangUP Team, a for-profit malicious code group from Russia, is believed
    responsible for Download.ject and for the recent rash of Korgo worms that
    attacked the LSASS vulnerability Microsoft outlined in security bulletin
    MS04-011. Experts believe the goal of the attack was to deliver malicious
    code to visitors of an affected Web site that could be used to steal credit
    card and other information that would then be marketed to organized identity
    theft markets.

    Following the Download.ject attack, the U.S. Computer Emergency Readiness
    Team (US-CERT) issued a statement recommending users switch from Internet
    Explorer to alternative browsers.

    Microsoft announced a workaround to the vulnerability earlier this month
    that disables the ADODB.Stream ActiveX control, preventing widely used
    payload delivery techniques from functioning. The company recommended users
    make the configuration change immediately through Windows Update; use an
    Internet firewall on all PCs and laptops; update machines with all the
    latest security patches through Windows Update; and use up-to-date antivirus
    software.

    Information security experts criticized the software giant's response,
    saying that while the workaround may successfully block future attacks, it
    fails to fix the browser's core problem and may actually interfere with
    programs that have worked fine to date. They added that the company must
    respond to flaws more quickly than it has in the past.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Middleton, Marc A.: "ISA/VPN comparison"