Microsoft to release out-of-cycle patch
From: Security Guy (securityguy_at_dslextreme.com)
Date: 07/29/04
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #199"
- In reply to: Marc Fossi: "Article Announcement: The Pied Piper Syndrome"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Focus-MS'" <focus-ms@securityfocus.com> Date: Thu, 29 Jul 2004 10:57:58 -0700
Microsoft to release out-of-cycle patch
By Bill Brenner, News Writer
29 Jul 2004 | SearchSecurity.com
Microsoft Corp. will veer outside its once-a-month patching cycle next week
with a permanent fix for the security holes in Internet Explorer that were
exploited last month during the Download.ject attack.
The patch is in the final stages of testing and will be released "within the
week, when it has been found to be an effective and quality fix for all
supported versions of IE," a spokesperson for the software giant said
Wednesday night. The spokesperson declined to elaborate further.
Criticism over Internet Explorer's multiple flaws reached a fever pitch
following the Download.ject attack, which targeted users of the popular Web
browser and Internet Information Services 5.0 (IIS), both components of
Windows. Microsoft has concluded the assault was a targeted manual attack by
individuals or entities towards a specific server. It used compromised sites
to append JavaScript to the bottom of Web pages. When executed, the
JavaScript would access a file hosted on another server believed to contain
malicious code that could affect the end user's system.
The HangUP Team, a for-profit malicious code group from Russia, is believed
responsible for Download.ject and for the recent rash of Korgo worms that
attacked the LSASS vulnerability Microsoft outlined in security bulletin
MS04-011. Experts believe the goal of the attack was to deliver malicious
code to visitors of an affected Web site that could be used to steal credit
card and other information that would then be marketed to organized identity
theft markets.
Following the Download.ject attack, the U.S. Computer Emergency Readiness
Team (US-CERT) issued a statement recommending users switch from Internet
Explorer to alternative browsers.
Microsoft announced a workaround to the vulnerability earlier this month
that disables the ADODB.Stream ActiveX control, preventing widely used
payload delivery techniques from functioning. The company recommended users
make the configuration change immediately through Windows Update; use an
Internet firewall on all PCs and laptops; update machines with all the
latest security patches through Windows Update; and use up-to-date antivirus
software.
Information security experts criticized the software giant's response,
saying that while the workaround may successfully block future attacks, it
fails to fix the browser's core problem and may actually interfere with
programs that have worked fine to date. They added that the company must
respond to flaws more quickly than it has in the past.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #199"
- In reply to: Marc Fossi: "Article Announcement: The Pied Piper Syndrome"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
