Feeds

IE patch 'imminent'

Download.Ject fix less than a fortnight away

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Microsoft may break its normal patch cycle to issue a fix for the vulnerability infamously exploited by last month's Download.Ject (AKA Scob) attack. Internet.com cites Dean Hachamovitch, Microsoft group product manager for Internet Explorer, in support of a story that a patch is imminent. It reports that patch to be released next week will provide a "long-term solution to the core vulnerability" that led to the Download.Ject attack, one of the most serious security pratfalls ever to hit IE.

Microsoft UK was a little more circumspect with naming a date, but suggested a fix should be available "within the next two weeks". Microsoft's monthly patches normally come out on the second Tuesday of each month. So this would allow Redmond to issue a double-plus critical fix on August 10, consistent with its monthly schedule - but at a time when many admins will be on holdiday. Microsoft has previously indicated it wanted to avoid this scenario, but its hand as been forced by the seriousness of the vulnerability exploited by Download.Ject.

In a statement, Microsoft UK said: "A comprehensive fix for all supported versions of IE is under development and will be released once it has been thoroughly tested and found to be effective across the wide variety of supported versions and configurations of IE. In the meantime, we’ve provide customers with prescriptive guidance to help mitigate these issues."

"We will release the update as soon as we are confident that we are providing a quality release with detailed prescriptive guidance to help customers effectively manage and deploy the update. This update should be ready for release within the next two weeks as soon as testing and quality review is complete," it added.

Trojan wars

Earlier this month Microsoft released a tool to clean up machines infected during last month's Download.Ject security flap. Users visiting a website contaminated with Download.Ject activated a script that downloaded a Trojan horse (called Berbew) from a website in Russia. This website was rapidly taken down, but the underlying vulnerability in Internet Explorer used in the Download.Ject attack remains unpatched, despite a workaround from Microsoft designed to limit the scope for mischief.

Redmond released these configuration changes earlier this month and yesterday followed up with a tool to remove variants of the Berbew Trojan from infected systems. Berbew (AKA Webber or Padodor) is capable of extracting passwords and login details from victims and forwarding this confidential data to crackers.

The risk posed by future Download.Ject-style attacks prompted security clearing house US-CERT to advise users to ditch IE for general web browsing, a call since repeated by other security experts.

"Our users should have confidence that as long as they're running the latest browser with all the latest security fixes, they will have the most powerful and secure browsing experience," Microsoft's Hachamovitch said. A brave statement, to say the least, especially given IE's chequered security history. Even after Microsoft shores up IE's defences to repel Download.Ject-style Trojan downloaders, history would suggest the next scripting vulnerability is only a matter of time away. ®

Related stories

CERT recommends anything but IE
IE workaround a non-starter
Microsoft half fixes serious IE vuln
MS hatches July patch batch
Watch out! Incoming mass hack attack
Unpatched IE vuln exploited by adware

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.