Friday 25 June 2004

Internet Explorer in the News... again

I recall reading Bruce Shneier's Secrets and Lies about two years ago. I don't remember much of what I read at the time as it seemed to be a follow up to an earlier book on Applied Cryptography. However, I remember being surprised when on page 365 of the hard-cover edition, Bruce mentioned that unlike other products, computer software are sold without any liability. He went on to write that Software Manufacturers do not have to produce a quality product because they face no consequences if they don't.

I think this is true of Microsoft and Internet Explorer today:

For the umpteenth time, Internet Explorer is in the news because holes in the browser are being used in widespread attacks that are compromising Web pages and using them as launching pads for malicious computer code.

According to Eweek:

...the malicious code that has been infecting some Windows machines since Thursday morning was planted via an IIS (Internet Information Services) vulnerability on the Web servers that host some high-traffic sites.

Users visiting those sites have had their machines infected with a piece of code that installs a keystroke logger and other malicious tools.

The attack appears to affect only machines running Internet Explorer, and users do not have to click on any links or images in order for the code to download. The Trojan that's installed on compromised machines is a fairly simple one.

Symantec calls this Trojan JS.Scob.Trojan though I think it is the same Trojan that Microsoft calls Download.Ject and LURHQ are calling Berbew/Webber/Padodor.

Wired News reports that:

The infection appears to take advantage of three separate flaws with Microsoft products. Microsoft said software updates to fix two of them had been released in April, but the third flaw was newly discovered and had no patch to fix it yet.

By the way, the patched vulnerability relates to MS04-11 and MS04-13, however, please note that this patch crashed on some Windows 2000 PCs so this might also be an avenue of attack though I think Microsoft shot themselves in the foot by trying to fix a host of vulnerabilities with one patch.

However, please note the following from news.com

Web surfers are no longer playing Russian roulette each time they visit a Web site, security researchers say, now that a far-reaching Internet attack has been disarmed.

The attack, which had turned some Web sites into points of digital infection, was nipped in the bud Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached.

Still, Web surfers should take precautions, as the Internet underground is increasingly using this type of attack as a way to get by network defenses and infect officer workers' and home users' computers.

Microsoft advises that you surf the Internet with Internet Explorer at its highest setting but I think it is better to follow the advice of Security Analysts and surf the Internet with alternative browsers such as Mozilla, Firefox and Opera.

Related Reading