Feeds

Attackers end-run around IE security

Backwards compatibility a breeding ground for holes

SANS - Survey on application security programs

The flawed XMLHTTP 4.0 ActiveX control is considered legacy code by Microsoft, and a review of the component will determine whether it will be included in future version of the XML libraries.

Eliminating such legacy code would help Microsoft reduce its security problems, Marcus Sachs, director of the SANS Institute's Internet Storm Centre.

"Microsoft has to deal with the fact that their software has to be backward compatible, and that is a major source of security holes," Sachs said. "The other problem is that millions of lines of code that makes up Windows. They could pull out a old module and find out that it was a patch to a flaw that they have just opened up again."

The enhanced security of Internet Explorer 7 has convinced many security researchers to make the switch as soon as possible. The Internet Storm Centre has seen about a quarter of its visitors - who are mainly information and security professionals - that use Internet Explorer upgrade to the latest version. Yet, even that pales compared to users of Mozilla's Firefox browser - about half of the ISC's visitors using that browser have upgraded to Firefox 2.0, according to the SANS Institute.

Because Microsoft has not yet made Internet Explorer 7 part of its automated update systems, the overall move to the latest version has been modest, according to digital marketing and enterprise analytics provider WebSideStory. Only about 5.8 per cent of consumers that use Internet Explorer have upgraded. That's an improvement over consumers using Firefox: Only 1.7 per cent of those users have upgraded to the latest version, the company said.

Microsoft's Internet Explorer accounts for some 89 per cent of the 30 million unique daily visitors the company tracks, while Mozilla's Firefox accounts for 10 per cent.

Despite the flaw, consumers and business users should upgrade to the latest versions of their browsers and consider setting the kill bit for the ActiveX control or setting the Internet and local security zones to "high," two of the workarounds suggested by Microsoft, said Craig Schmugar, virus research manager at security software firm McAfee's antivirus labs. Even though only a single website has usd the exploit so far, more will likely follow, he said.

"I would not be surprised if in the next day or two we see a public posting of the exploit code and that will open up the realm to other attackers to take advantage of it," Schmugar said.

In the end, Microsoft's release of its next-generation operating system for the desktop, Windows Vista, will close down many avenues for attack. Under Vista, Internet Explorer will run in a new mode that limits access to most of the operating system's facilities, protecting data and the software. Called "protected mode," the feature will limit the access rights of Internet Explorer and stop most ActiveX abuse in its tracks, said Microsoft's Schare.

"This particular vulnerability would not affect Windows Vista at all, because of protected mode," he said. "The vulnerability would still be there but no exploit would be possible."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.