__/ [ The Ghost In The Machine ] on Thursday 28 September 2006 00:00 \__
>
> http://news.bbc.co.uk/2/hi/technology/5384170.stm
>
> |Microsoft has released a patch for a bug in the Internet Explorer
> |browser two weeks early to combat a mounting number of attacks made via
> |the loophole.
>
> ...
>
> |The bug was discovered by security firm Sunbelt Software and revolves
> |around the way that the Internet Explorer browser handles a technology
> |known as vector graphics.
>
> |Via a carefully made webpage, malicious hackers can exploit this bug to
> |take over machines. Porn sites were among the first to exploit this bug
> |but many others started to use it once it became more widely known.
>
> ...
>
> (Editorial)
>
> Pardon me while I puke. *COUGH*
>
> I will laud Microsoft for a quick turnaround, but do
> wonder how one would be able to install a keylogger on a
> more normal system (such as MacOSX, *BSD, or Linux :-)),
> even given this browser problem. The best I can do
> is to open a borderless window with an X proxy covering
> the old desktop and then try to duplicate the desktop --
> which gets messy quickly since there are so many desktops.
>
> An alternate method is to fiddle with LD_LIBRARY_PATH
> in .bashrc and then wait until the user logs in again.
> This method is far less obvious from a visual standpoint
> ("duh, why is my desktop refreshing itself?") but would
> probably require quite a bit of work to do properly,
> mostly because if the erstwhile hacker wants to replace a
> library he has to know exactly which library to replace,
> and what version, even given x86 prevalence.
>
> Otherwise subtle bugs occur -- or maybe not so subtle.
> ("Duh, why is my browser crashing?")
>
> Thank you, Microsoft, for once again proving that security
> should always take a back seat to functionality.
>
> Not.
>
> (http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
>
> is the official Microsoft announcement, apparently. )
To demonstrate the scale the the damage, I would like to add some other
editorials and articles which refer to this incident.
First of all, Microsoft is /considering/ an early fix. This is damaging to
trust with the ('raped') customer.
http://news.bbc.co.uk/1/hi/technology/5377802.stm
,----[ Quote ]
| Microsoft is considering the early release of a fix for a bug in Internet
| Explorer that malicious hackers are actively exploiting online.
`----
Funny that! Only days /before/ Microsoft issued this statement, the bug had
been exploited very widely.
Russian sites using new IE bug to install spyware
,----[ Quote ]
| This is the second unpatched flaw found in IE over the past week. On
| Sept. 14, researchers posted code that could be used to exploit a
| different vulnerability in a multimedia component of the Web browser.
| Microsoft is still investigating that flaw and is not saying whether it
| too will be patched next month.
`----
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003446&source=rss_news50
http://tinyurl.com/edfdw
IE Exploit Could Soon Be Used By 10,000-plus Sites
,----[ Quote ]
| First reported by Florida-based Sunbelt Software Tuesday, the bug has
| already been used to compromise PCs and load them with scores of adware
| and spyware programs, as well as other malicious code. Users surfing with
| IE 6 and earlier can be infected simply by viewing the wrong site.
`----
http://www.techweb.com/wire/security/193004128;jsessionid=QXNCAQ0RB3TRYQSNDLRCKH0CJUNN2JVN
So Microsoft finally addresses the issue.
Microsoft's Out-of-Band IE Patch: A Little Too Late?
,----[ Quote ]
| The company ships an out-of-cycle fix to help thwart a rash of
| zero-day malware attacks, but some security experts say the bulk of
| the damage has already been done.
`----
http://www.eweek.com/article2/0,1895,2020889,00.asp
If you manage a department filled with Windows boxes, I don't know how you
can forgive Microsoft for vanity and apathy. Too many bugs remain shelved
and only high-scale damage begs for real actions. It's the equivalent of a
lifeguard who only jumps in the water when somebody drowns, but now never
sets a rope to define areas of risk.
|
|
