Attackers end-run around IE security

The flawed XMLHTTP 4.0 ActiveX control is considered legacy code by Microsoft, and a review of the component will determine whether it will be included in future version of the XML libraries.

Eliminating such legacy code would help Microsoft reduce its security problems, Marcus Sachs, director of the SANS Institute's Internet Storm Centre.

"Microsoft has to deal with the fact that their software has to be backward compatible, and that is a major source of security holes," Sachs said. "The other problem is that millions of lines of code that makes up Windows. They could pull out a old module and find out that it was a patch to a flaw that they have just opened up again."

The enhanced security of Internet Explorer 7 has convinced many security researchers to make the switch as soon as possible. The Internet Storm Centre has seen about a quarter of its visitors - who are mainly information and security professionals - that use Internet Explorer upgrade to the latest version. Yet, even that pales compared to users of Mozilla's Firefox browser - about half of the ISC's visitors using that browser have upgraded to Firefox 2.0, according to the SANS Institute.

Because Microsoft has not yet made Internet Explorer 7 part of its automated update systems, the overall move to the latest version has been modest, according to digital marketing and enterprise analytics provider WebSideStory. Only about 5.8 per cent of consumers that use Internet Explorer have upgraded. That's an improvement over consumers using Firefox: Only 1.7 per cent of those users have upgraded to the latest version, the company said.

Microsoft's Internet Explorer accounts for some 89 per cent of the 30 million unique daily visitors the company tracks, while Mozilla's Firefox accounts for 10 per cent.

Despite the flaw, consumers and business users should upgrade to the latest versions of their browsers and consider setting the kill bit for the ActiveX control or setting the Internet and local security zones to "high," two of the workarounds suggested by Microsoft, said Craig Schmugar, virus research manager at security software firm McAfee's antivirus labs. Even though only a single website has usd the exploit so far, more will likely follow, he said.

"I would not be surprised if in the next day or two we see a public posting of the exploit code and that will open up the realm to other attackers to take advantage of it," Schmugar said.

In the end, Microsoft's release of its next-generation operating system for the desktop, Windows Vista, will close down many avenues for attack. Under Vista, Internet Explorer will run in a new mode that limits access to most of the operating system's facilities, protecting data and the software. Called "protected mode," the feature will limit the access rights of Internet Explorer and stop most ActiveX abuse in its tracks, said Microsoft's Schare.

"This particular vulnerability would not affect Windows Vista at all, because of protected mode," he said. "The vulnerability would still be there but no exploit would be possible."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus