Security experts are warning Microsoft customers about
silent internet attacks, which exploit a security flaw in Internet
Explorer and, potentially, allow remote attackers to run malicious
code on vulnerable machines.
The vulnerability is similar in scope to those exploited by
devastating worms such as Nimda, Badtrans and Klez, according to
one security company. And, to make matters worse, the flaw is one
Microsoft said it fixed weeks ago.
The security hole, known as the "Object Data vulnerability",
affects Internet Explorer versions 5.01, 5.5 and 6.0. It concerns
the way that Explorer processes HTML (Hypertext Markup Language)
pages containing a special element called the Object Data tag.
If properly exploited, the vulnerability could enable an
attacker to place a malicious computer program on a user's machine.
No user actions would be required aside from opening an e-mail
message or visiting a web page containing the attack.
On 20 August, Microsoft released patch
MS03-032 for Explorer which, it claimed, closed the hole, in
addition to patching other security holes in the browser.
However, a message posted to a prominent security discussion
group on Sunday warned that the vulnerability still exists on
machines using Explorer even after applying the patch.
That message, posted by an individual using the name
"http-equiv@excite.com", contained sample code which showed that
Explorer is still vulnerable to attack using the vulnerability from
HTML pages created dynamically using computer script such as
JavaScript, embedded in web pages or e-mail messages.
A Microsoft spokesman confirmed that it is investigating the
reports of new exploits for one of the vulnerabilities addressed in
the MS03-032 security bulletin.
However, Microsoft still recommends that customers install that
patch, he said.
Microsoft claimed to be unaware of any customers who have been
attacked using the vulnerability.
However, security researchers know of at least one exploitation
of the Object Data vulnerability already circulating on the
internet. An alert by security company Secunia in Copenhagen said
that an e-mail message containing HTML code that exploits the
vulnerability is used to silently retrieve and run a file,
"drg.exe", which installs a file called "surferbar.dll" onto the
victim's computer.
That file adds a bar to the affected users' Explorer browser,
which has links to pornographic websites.
The Object Data vulnerability is also similar to an earlier
Explorer security hole dating to 2001, MS01-020, that was exploited
by virulent e-mail worms such as Nimda and Klez, according to
Secunia.
Security experts familiar with the issue say that Microsoft's
failure to test their patch thoroughly against attack scenarios
using the Object Data vulnerability is a black eye for the
company.
"Microsoft should be ashamed. This is a major embarrassment,"
said Richard Smith, an independent security analyst based in
Boston.
The problem with the Object Data vulnerability is similar to a
hole found in an earlier Microsoft patch, according to Israeli
security company GreyMagic Software, which issued a report on the
problem in February 2002.
That fact points to problems with Microsoft's patch testing
process, Smith said.
"They need to go back and look at how this slip-up occurred.
They keep saying they can't prevent bugs, but when the same
problems keep occurring over and over, that's a management issue,"
he said.
A Microsoft spokesman said the company is committed to keeping
customers data safe and will take "appropriate action" to protect
customers when its investigation into the new exploits is
complete.
In the absence of a patch from Microsoft to fix the problem,
security experts recommended disabling support for Active Scripting
on affected versions of Explorer. Failing that, users should
consider uninstalling Explorer to protect themselves from
attack.
Paul Roberts writes for IDG News Service