Feeds

Attackers end-run around IE security

Backwards compatibility a breeding ground for holes

Choosing a cloud hosting partner with confidence

The flawed XMLHTTP 4.0 ActiveX control is considered legacy code by Microsoft, and a review of the component will determine whether it will be included in future version of the XML libraries.

Eliminating such legacy code would help Microsoft reduce its security problems, Marcus Sachs, director of the SANS Institute's Internet Storm Centre.

"Microsoft has to deal with the fact that their software has to be backward compatible, and that is a major source of security holes," Sachs said. "The other problem is that millions of lines of code that makes up Windows. They could pull out a old module and find out that it was a patch to a flaw that they have just opened up again."

The enhanced security of Internet Explorer 7 has convinced many security researchers to make the switch as soon as possible. The Internet Storm Centre has seen about a quarter of its visitors - who are mainly information and security professionals - that use Internet Explorer upgrade to the latest version. Yet, even that pales compared to users of Mozilla's Firefox browser - about half of the ISC's visitors using that browser have upgraded to Firefox 2.0, according to the SANS Institute.

Because Microsoft has not yet made Internet Explorer 7 part of its automated update systems, the overall move to the latest version has been modest, according to digital marketing and enterprise analytics provider WebSideStory. Only about 5.8 per cent of consumers that use Internet Explorer have upgraded. That's an improvement over consumers using Firefox: Only 1.7 per cent of those users have upgraded to the latest version, the company said.

Microsoft's Internet Explorer accounts for some 89 per cent of the 30 million unique daily visitors the company tracks, while Mozilla's Firefox accounts for 10 per cent.

Despite the flaw, consumers and business users should upgrade to the latest versions of their browsers and consider setting the kill bit for the ActiveX control or setting the Internet and local security zones to "high," two of the workarounds suggested by Microsoft, said Craig Schmugar, virus research manager at security software firm McAfee's antivirus labs. Even though only a single website has usd the exploit so far, more will likely follow, he said.

"I would not be surprised if in the next day or two we see a public posting of the exploit code and that will open up the realm to other attackers to take advantage of it," Schmugar said.

In the end, Microsoft's release of its next-generation operating system for the desktop, Windows Vista, will close down many avenues for attack. Under Vista, Internet Explorer will run in a new mode that limits access to most of the operating system's facilities, protecting data and the software. Called "protected mode," the feature will limit the access rights of Internet Explorer and stop most ActiveX abuse in its tracks, said Microsoft's Schare.

"This particular vulnerability would not affect Windows Vista at all, because of protected mode," he said. "The vulnerability would still be there but no exploit would be possible."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.