• On MovieTome: See the TRAILER for TERMINATOR 4!
advertisementCheck out AT&T's FREE camera phones

September 22, 2006 1:58 PM PDT

Security pros provide interim IE patch

By Joris Evers
Staff Writer, CNET News

Related Stories

Porn sites exploit new IE flaw

 September 19, 2006

Second unofficial fix plugs IE hole

 March 28, 2006

Another IE bug hits Microsoft

 March 21, 2006

Microsoft pushes out Windows patch ahead of time

 January 5, 2006

Beating Microsoft to the punch

 January 4, 2006

Wait for Windows patch opens attack window

 January 3, 2006

Windows flaw spawns dozens of attacks

 January 3, 2006
A group of security professionals has created a third-party fix for a recently discovered Internet Explorer flaw that's increasingly being used in cyberattacks.

The group, which calls itself the Zeroday Emergency Response Team, or ZERT, created the patch so IE users can protect themselves while Microsoft works on an official fix

"Certain members of the group feel that the risk associated with this vulnerability is so great that they can't wait for a patch. Some users might agree with that and apply this patch," ZERT spokesman Randy Abrams said Friday. Abrams is director of technical education at security company ESET and volunteers with ZERT.

The flaw lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a Web site or an e-mail message. Word of the vulnerability came earlier this week, when the weakness already was being exploited in cyberattacks.

"Attacks have ramped up significantly in the past 24 hours," said Ken Dunham, director of the rapid response team at VeriSign's iDefense. In many cases, the attacks install spyware, adware and remote control software on victims' PCs.

In at least one case, cybercriminals broke into a Web hosting company and redirected 500 Internet domains to point to a malicious site that exploits this latest flaw, Dunham said. "So you're just surfing the Web, and all of a sudden, you are redirected to a malicious Web site," he said.

Attacks that exploit the flaw via e-mail likely will surface soon, he added.

While Microsoft is aware of the attacks, it said it does not recommend using the third-party fix. "As a best practice, customers should obtain security updates and guidance from the original software vendor," a Microsoft representative said in a statement.

This is the third time this year somebody has beaten Microsoft to the punch with a security fix. In January, an outside patch was created for a vulnerability in the way Windows renders Windows Meta File images, and in March, two security companies issued patches for a bug related to how IE handled certain tags in Web pages.

ZERT is made up of security professionals from around the world who volunteer their time. The ZERT patch, available for Windows 2000, Windows XP and Windows Server 2003, was created in 19 hours, primarily by three experts: Joe Stewart of Lurhq, Israeli reverse-engineering specialist Gil Dabah, and vulnerability researcher Michael Hale Ligh, Abrams said.

Risk of third-party fixes
A word of caution is warranted when it comes to third-party fixes, ZERT noted. "There is a risk associated with a third-party patch because it hasn't gone through the extensive testing that Microsoft puts its patches through," Abrams said. ZERT does provide the source code of its fix, allowing people to validate what it does.

On its Web site, ZERT stresses that its fix has no warranties. "While ZERT tests these patches, they are not official patches with vendor support and are provided as-is with no guarantee as to fitness for your particular environment. Use them at your own risk or wait for a vendor-supported patch," the group stated. The ZERT fix will be removed from the group's site once Microsoft has issued its update, the group said.

ZERT's patch may work well for some individual users or smaller organizations, iDefense's Dunham said. "Most small businesses are agile, but for larger organizations, applying a patch is a bigger hassle. A third-party patch introduces a wide variety of concerns and cost measures, and those can't be ignored," he said.

In addition to compatibility problems, third-party fixes could introduce security vulnerabilities, Dunham said. Microsoft provides several workarounds that do not require the third-party patch on its Web site. Dunham recommends using a workaround, but also said he expects Microsoft to rush out its patch before Oct. 10.

See more CNET content tagged:
patch, cyberattack, fix, iDefense, patch management

Add a Comment (Log in or register) 22 comments (Showing first 20 comments)
IE7 RC1
by roger.d.miller September 22, 2006 2:07 PM PDT
IE7 RC1 is not vulnerable and is readily available.
Reply to this comment View all 3 replies
Hmm... where are all the MSFT apologists today?
by Penguinisto September 22, 2006 2:08 PM PDT
Funny you don't see any.

BTW - according to http://isc.sans.org, it ain't just porn sites getting smacked with this...

Ah well - maybe all the astroturfers are busy trying to reload Windows onto the freshly busted machines?

( as /me goes surfing on in Firefox on Linux... )

/P
Reply to this comment
Another way to workaround: Set Security to High
by fc11 September 22, 2006 2:41 PM PDT
Set security to high and then enable file download. This vulnerabiltiy and most other IE vulnerabilties do not apply if you set security to high.

For any site you really want scripting to work, add it to intranet zone.

I used IE for 8 years with this practice and never had a problem. I viewed all sorts of sites and never had to worry.
Reply to this comment View reply
Another way to workaround: Set default browser to anything but Microsoft IE
by extinctone September 22, 2006 6:06 PM PDT
C'mon people, how many times do you have to hear it? The single most effective defense against never-ending Internet threats is, do not use Microsoft products. All products are vulnerable, but all products combined do not have as many threat vectors as MS products alone.
Reply to this comment
sheesh
by qwerty75 September 22, 2006 7:29 PM PDT
"he expects Microsoft to rush out its patch before Oct. 10."

How many weeks is that?

If this was a problem in Firefox it would have been fixed by now.
Reply to this comment
MS Defense.
by suzo September 22, 2006 8:14 PM PDT
Well, if you plan to attack somebody, why would you attack an OS or browser that less than 10% of users do use? If you think that FireFox is better check http://news.com.com/Firefox+update+patches+security+holes/2100-1002_3-6116267.html. Overall security exist in any product, MS products do get attack more because most of the people have them installed. Keep in mind that MS can not rush a patch. Doing a code fix may not take a long time but the overhead of releasing it takes much longer. You can not rush a patch since it can backfire with possible regressions or other problems. MS faces big challenges on terms of testing since as you may know most people write software on top of their products so most likely testing will take them longer. Just think on the different number of configurations that they have to test an IE patch... In terms of OS's WinXP SP2, WinXP SP1, Win2k SP4, Win2003 RTM win2003 SP1... In terms of internal MS products that use IE... office 2000, office 2002, Office 2003, Visio, Project... etc... what about making sure third party software still works correctly? Also, how many different ways does MS make this fix widely available? windows Update, Microsoft Update, Automatic Updates, Download from WEB. SMS, etc... I think MS is comitted, sometimes people overlook the time this work may take. I mean... is not just make a fix and ship it, that can be done by a third party company since they don't have to face the different consequences of not doing correctly...
Reply to this comment View all 2 replies
THIS patch will RUIN your computer
by bdurant September 23, 2006 8:23 AM PDT
Don't EVEN download it.... spyware!!!!
Reply to this comment
Chief Ethics Officer Canned On Friday
by CancerMan2 September 23, 2006 5:56 PM PDT
HP's Chief Ethics Officer, Kevin T. Hunsaker was canned on Friday. According to the story below he made specific requests that the investigator obtain personal telephone records. Sounds like a great guy. I am sure he will quickly be snapped up by Big Oil, just like Richard Armitage (Plamegate) who now sits on the board of ConcocoPhilips. Crime does pay, if it's bigtime crime.

http://www.theage.com.au/news/Technology/HPs-ethics-chief-pointed-investigator-toward-directors-suspectedof-leaking-email-shows/2006/09/23/1158431932837.html
Reply to this comment View reply
Common Sense 101
by wbenton September 24, 2006 9:10 AM PDT
This article proves several things:

#1. Security Pros are capable of coming out with a patch quicker than Microsoft proving that Microsoft is DEFINATELY NOT A SECURITY PRO!!!

#2. Microsoft feels that they can postpone their patch until their regularly released Oct 10th patching time-frame when the rest of the security world follows the guidelines of 24-hours to fix Critical flaws and 72-hours to fix non-critical flaws... not like Microsoft whom feels that Critical flaws can be delayed at least 21 days!

#3. That IE is not worth the disk space it resides on... and at todays disk space prices... that ain't much at all.

#4. If nobody used IE... such a flaw wouldn't mean a hill of beans!!!

#5. Microsoft's stance towards stronger security doesn't mean a hill of beans either.

#6. If you want to be hacked over and over and over again... continue using IE.

Walt
Reply to this comment View reply
Microsoft's Workaround
by wbenton September 24, 2006 9:18 AM PDT
One of Microsoft's workarounds says to turn off Active-X.

But if you turn off Active-X, you won't be able to automatically update their up and coming patch when ever it is due. (* LOL *)

Seems like Microsoft is walking all over their own two feet on this one. (* GRIN *)

At least the Security Pros are on their toes!!!

Walt
Reply to this comment
 See all 22 Comments >>
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security™2009

Click Here!
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

Click Here!
The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET