Feeds

IE patch 'imminent'

Download.Ject fix less than a fortnight away

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Microsoft may break its normal patch cycle to issue a fix for the vulnerability infamously exploited by last month's Download.Ject (AKA Scob) attack. Internet.com cites Dean Hachamovitch, Microsoft group product manager for Internet Explorer, in support of a story that a patch is imminent. It reports that patch to be released next week will provide a "long-term solution to the core vulnerability" that led to the Download.Ject attack, one of the most serious security pratfalls ever to hit IE.

Microsoft UK was a little more circumspect with naming a date, but suggested a fix should be available "within the next two weeks". Microsoft's monthly patches normally come out on the second Tuesday of each month. So this would allow Redmond to issue a double-plus critical fix on August 10, consistent with its monthly schedule - but at a time when many admins will be on holdiday. Microsoft has previously indicated it wanted to avoid this scenario, but its hand as been forced by the seriousness of the vulnerability exploited by Download.Ject.

In a statement, Microsoft UK said: "A comprehensive fix for all supported versions of IE is under development and will be released once it has been thoroughly tested and found to be effective across the wide variety of supported versions and configurations of IE. In the meantime, we’ve provide customers with prescriptive guidance to help mitigate these issues."

"We will release the update as soon as we are confident that we are providing a quality release with detailed prescriptive guidance to help customers effectively manage and deploy the update. This update should be ready for release within the next two weeks as soon as testing and quality review is complete," it added.

Trojan wars

Earlier this month Microsoft released a tool to clean up machines infected during last month's Download.Ject security flap. Users visiting a website contaminated with Download.Ject activated a script that downloaded a Trojan horse (called Berbew) from a website in Russia. This website was rapidly taken down, but the underlying vulnerability in Internet Explorer used in the Download.Ject attack remains unpatched, despite a workaround from Microsoft designed to limit the scope for mischief.

Redmond released these configuration changes earlier this month and yesterday followed up with a tool to remove variants of the Berbew Trojan from infected systems. Berbew (AKA Webber or Padodor) is capable of extracting passwords and login details from victims and forwarding this confidential data to crackers.

The risk posed by future Download.Ject-style attacks prompted security clearing house US-CERT to advise users to ditch IE for general web browsing, a call since repeated by other security experts.

"Our users should have confidence that as long as they're running the latest browser with all the latest security fixes, they will have the most powerful and secure browsing experience," Microsoft's Hachamovitch said. A brave statement, to say the least, especially given IE's chequered security history. Even after Microsoft shores up IE's defences to repel Download.Ject-style Trojan downloaders, history would suggest the next scripting vulnerability is only a matter of time away. ®

Related stories

CERT recommends anything but IE
IE workaround a non-starter
Microsoft half fixes serious IE vuln
MS hatches July patch batch
Watch out! Incoming mass hack attack
Unpatched IE vuln exploited by adware

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.