Feeds

Attackers end-run around IE security

Backwards compatibility a breeding ground for holes

Using blade systems to cut costs and sharpen efficiencies

The flawed XMLHTTP 4.0 ActiveX control is considered legacy code by Microsoft, and a review of the component will determine whether it will be included in future version of the XML libraries.

Eliminating such legacy code would help Microsoft reduce its security problems, Marcus Sachs, director of the SANS Institute's Internet Storm Centre.

"Microsoft has to deal with the fact that their software has to be backward compatible, and that is a major source of security holes," Sachs said. "The other problem is that millions of lines of code that makes up Windows. They could pull out a old module and find out that it was a patch to a flaw that they have just opened up again."

The enhanced security of Internet Explorer 7 has convinced many security researchers to make the switch as soon as possible. The Internet Storm Centre has seen about a quarter of its visitors - who are mainly information and security professionals - that use Internet Explorer upgrade to the latest version. Yet, even that pales compared to users of Mozilla's Firefox browser - about half of the ISC's visitors using that browser have upgraded to Firefox 2.0, according to the SANS Institute.

Because Microsoft has not yet made Internet Explorer 7 part of its automated update systems, the overall move to the latest version has been modest, according to digital marketing and enterprise analytics provider WebSideStory. Only about 5.8 per cent of consumers that use Internet Explorer have upgraded. That's an improvement over consumers using Firefox: Only 1.7 per cent of those users have upgraded to the latest version, the company said.

Microsoft's Internet Explorer accounts for some 89 per cent of the 30 million unique daily visitors the company tracks, while Mozilla's Firefox accounts for 10 per cent.

Despite the flaw, consumers and business users should upgrade to the latest versions of their browsers and consider setting the kill bit for the ActiveX control or setting the Internet and local security zones to "high," two of the workarounds suggested by Microsoft, said Craig Schmugar, virus research manager at security software firm McAfee's antivirus labs. Even though only a single website has usd the exploit so far, more will likely follow, he said.

"I would not be surprised if in the next day or two we see a public posting of the exploit code and that will open up the realm to other attackers to take advantage of it," Schmugar said.

In the end, Microsoft's release of its next-generation operating system for the desktop, Windows Vista, will close down many avenues for attack. Under Vista, Internet Explorer will run in a new mode that limits access to most of the operating system's facilities, protecting data and the software. Called "protected mode," the feature will limit the access rights of Internet Explorer and stop most ActiveX abuse in its tracks, said Microsoft's Schare.

"This particular vulnerability would not affect Windows Vista at all, because of protected mode," he said. "The vulnerability would still be there but no exploit would be possible."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.