Original URL: https://www.theregister.com/2004/07/30/ie_scob_fix_imminent/

IE patch 'imminent'

Download.Ject fix less than a fortnight away

By John Leyden

Posted in Security, 30th July 2004 12:23 GMT

Microsoft may break its normal patch cycle to issue a fix for the vulnerability infamously exploited by last month's Download.Ject (AKA Scob) attack. Internet.com cites Dean Hachamovitch, Microsoft group product manager for Internet Explorer, in support of a story that a patch is imminent. It reports that patch to be released next week will provide a "long-term solution to the core vulnerability" that led to the Download.Ject attack, one of the most serious security pratfalls ever to hit IE.

Microsoft UK was a little more circumspect with naming a date, but suggested a fix should be available "within the next two weeks". Microsoft's monthly patches normally come out on the second Tuesday of each month. So this would allow Redmond to issue a double-plus critical fix on August 10, consistent with its monthly schedule - but at a time when many admins will be on holdiday. Microsoft has previously indicated it wanted to avoid this scenario, but its hand as been forced by the seriousness of the vulnerability exploited by Download.Ject.

In a statement, Microsoft UK said: "A comprehensive fix for all supported versions of IE is under development and will be released once it has been thoroughly tested and found to be effective across the wide variety of supported versions and configurations of IE. In the meantime, we’ve provide customers with prescriptive guidance to help mitigate these issues."

"We will release the update as soon as we are confident that we are providing a quality release with detailed prescriptive guidance to help customers effectively manage and deploy the update. This update should be ready for release within the next two weeks as soon as testing and quality review is complete," it added.

Trojan wars

Earlier this month Microsoft released a tool to clean up machines infected during last month's Download.Ject security flap. Users visiting a website contaminated with Download.Ject activated a script that downloaded a Trojan horse (called Berbew) from a website in Russia. This website was rapidly taken down, but the underlying vulnerability in Internet Explorer used in the Download.Ject attack remains unpatched, despite a workaround from Microsoft designed to limit the scope for mischief.

Redmond released these configuration changes earlier this month and yesterday followed up with a tool to remove variants of the Berbew Trojan from infected systems. Berbew (AKA Webber or Padodor) is capable of extracting passwords and login details from victims and forwarding this confidential data to crackers.

The risk posed by future Download.Ject-style attacks prompted security clearing house US-CERT to advise users to ditch IE for general web browsing, a call since repeated by other security experts.

"Our users should have confidence that as long as they're running the latest browser with all the latest security fixes, they will have the most powerful and secure browsing experience," Microsoft's Hachamovitch said. A brave statement, to say the least, especially given IE's chequered security history. Even after Microsoft shores up IE's defences to repel Download.Ject-style Trojan downloaders, history would suggest the next scripting vulnerability is only a matter of time away. ®

Related stories

CERT recommends anything but IE
IE workaround a non-starter
Microsoft half fixes serious IE vuln
MS hatches July patch batch
Watch out! Incoming mass hack attack
Unpatched IE vuln exploited by adware