Hackers jump through holes in Microsoft patch

Security experts are warning Microsoft customers about silent Internet attacks that exploit a security flaw in the Internet Explorer Web browser, potentially allowing remote attackers to run malicious code on vulnerable machines.

The vulnerability is similar in scope to those exploited by devastating worms such as Nimda, Badtrans and Klez, according to one security company. And, to make matters worse, the flaw is one Microsoft said it fixed weeks ago.

The security hole, known as the "Object Data vulnerability," affects Internet Explorer (IE) versions 5.01, 5.5 and 6.0. It concerns the way that IE processes HTML (Hypertext Markup Language) pages containing a special element called the Object Data tag. If properly exploited, the vulnerability could enable an attacker to place a malicious computer program on a user's machine. No user actions would be required aside from opening an e-mail message or visiting a Web page containing the attack.

On August 20, Microsoft released a patch for IE, MS03--032, that it said closed the hole, in addition to patching other security holes in IE.

According to a message posted to a prominent security discussion group Sunday, however, the vulnerability still exists on machines using IE even after applying the patch.

That message, posted by an individual using the name "http-equiv@excite.com," contained sample code that showed IE is still vulnerable to attack using the vulnerability from HTML pages that are created dynamically using computer script, like JavaScript, embedded in Web pages or e-mail messages.

A Microsoft spokesman confirmed that the company is investigating the reports of new exploits for one of the vulnerabilities addressed in the MS03-032 security bulletin.

However, Microsoft still recommends that customers install that patch, he said.

The software company is not aware of any customers who have been attacked using the vulnerability, he said.

However, security researchers know of at least one exploitation of the Object Data vulnerability that is already circulating on the Internet, according to a statement by security company Secunia of Copenhagen, Denmark.

An e-mail message that contains HTML code that exploits the vulnerability is used to silently retrieve and run a file, "drg.exe," that installs a file called "surferbar.dll" onto the victim's computer, according to the Secunia alert.

That file adds a new bar to the affected users' Internet Explorer Web browser with links to pornographic Web sites, the company said.

The Object Data vulnerability is also similar to an earlier IE security hole dating to 2001, MS01-020, that was exploited by virulent e-mail worms such as Nimda and Klez, according to Secunia.

Security experts familiar with the issue say that Microsoft's failure to thoroughly test their patch against attack scenarios using the Object Data vulnerability is a black eye for the company.

"Microsoft should be ashamed. This is a major embarrassment," said Richard Smith, an independent security analyst based in Boston.

The problem with the Object Data vulnerability is similar to a hole found in a prior Microsoft patch, according to Israeli security company GreyMagic Software, which issued a report on the problem in Feb. 2002.

That fact points to problems with Microsoft's patch testing process, Smith said.

"They need to go back and look at how this slip-up occurred. They keep saying they can't prevent bugs, but when the same problems keep occurring over and over, that's a management issue," he said.

A Microsoft spokesman said the company is committed to keeping customers data safe and will take "appropriate action" to protect customers when its investigation into the new exploits is complete.

In the absence of a patch from Microsoft to fix the problem, security experts recommended disabling support for Active Scripting on affected IE versions. Failing that, users should consider uninstalling the popular browser to protect themselves from attack, experts said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?