Feeds

IE patch 'imminent'

Download.Ject fix less than a fortnight away

  • alert
  • submit to reddit

Top three mobile application threats

Microsoft may break its normal patch cycle to issue a fix for the vulnerability infamously exploited by last month's Download.Ject (AKA Scob) attack. Internet.com cites Dean Hachamovitch, Microsoft group product manager for Internet Explorer, in support of a story that a patch is imminent. It reports that patch to be released next week will provide a "long-term solution to the core vulnerability" that led to the Download.Ject attack, one of the most serious security pratfalls ever to hit IE.

Microsoft UK was a little more circumspect with naming a date, but suggested a fix should be available "within the next two weeks". Microsoft's monthly patches normally come out on the second Tuesday of each month. So this would allow Redmond to issue a double-plus critical fix on August 10, consistent with its monthly schedule - but at a time when many admins will be on holdiday. Microsoft has previously indicated it wanted to avoid this scenario, but its hand as been forced by the seriousness of the vulnerability exploited by Download.Ject.

In a statement, Microsoft UK said: "A comprehensive fix for all supported versions of IE is under development and will be released once it has been thoroughly tested and found to be effective across the wide variety of supported versions and configurations of IE. In the meantime, we’ve provide customers with prescriptive guidance to help mitigate these issues."

"We will release the update as soon as we are confident that we are providing a quality release with detailed prescriptive guidance to help customers effectively manage and deploy the update. This update should be ready for release within the next two weeks as soon as testing and quality review is complete," it added.

Trojan wars

Earlier this month Microsoft released a tool to clean up machines infected during last month's Download.Ject security flap. Users visiting a website contaminated with Download.Ject activated a script that downloaded a Trojan horse (called Berbew) from a website in Russia. This website was rapidly taken down, but the underlying vulnerability in Internet Explorer used in the Download.Ject attack remains unpatched, despite a workaround from Microsoft designed to limit the scope for mischief.

Redmond released these configuration changes earlier this month and yesterday followed up with a tool to remove variants of the Berbew Trojan from infected systems. Berbew (AKA Webber or Padodor) is capable of extracting passwords and login details from victims and forwarding this confidential data to crackers.

The risk posed by future Download.Ject-style attacks prompted security clearing house US-CERT to advise users to ditch IE for general web browsing, a call since repeated by other security experts.

"Our users should have confidence that as long as they're running the latest browser with all the latest security fixes, they will have the most powerful and secure browsing experience," Microsoft's Hachamovitch said. A brave statement, to say the least, especially given IE's chequered security history. Even after Microsoft shores up IE's defences to repel Download.Ject-style Trojan downloaders, history would suggest the next scripting vulnerability is only a matter of time away. ®

Related stories

CERT recommends anything but IE
IE workaround a non-starter
Microsoft half fixes serious IE vuln
MS hatches July patch batch
Watch out! Incoming mass hack attack
Unpatched IE vuln exploited by adware

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.