Microsoft's effort last week to fix a vulnerability in
the Internet Explorer (IE) web browser program and end the latest
series of internet attacks does not address another closely related
and dangerous vulnerability, according to a security
specialist.
Dutch security expert Jelmer Kuperus published code on the web
last week that he said can be used to break into fully patched
Windows systems using a slightly modified version of an attack
called Download.Ject which Microsoft patched last week.
The latest attack targets a hole in a different Windows
component than the one addressed by Microsoft's software patch.
Using a similar attack, malicious hackers could break into even
patched Windows machines, Kuperus said.
Microsoft confirmed that the company is aware of the exploit
code, but does not believe any customers have been attacked using
the Shell.Application exploit, a spokeswoman said.
Last week, Microsoft introduced a security update for Internet
Explorer 6.0 to end the threat of Download.Ject. The update
disables a Windows component called ADODB.Stream, which was
allegedly being used by a Russian criminal gang called the Hangup
Team to install malicious code on computers.
By attacking a different Windows ActiveX component called
Shell.Application, hackers can load malicious code onto
machines.
The attack relies on a vulnerability in Shell.Application
discovered and disclosed in January by a security expert known by
the online handle "http-equiv," Kuperus said. (
archives.neohapsis.com/archives/fulldisclosure/2004-01/0001.html.)
To prove his point, Kuperus posted a copy of attack code that
targets the Shell.Application component on a website. Web surfers
that use Windows XP with IE and visit the page are confronted with
a screen that freezes Windows.
According to Kuperus this example is harmless, but the exploit
could be used in the same way the group of Russian criminals
exploited the ADODB.Stream vulnerability in a series of attacks in
June.
Those attacks combined compromises unpatched Microsoft Internet
Information Services (IIS) web servers with attacks using two
vulnerabilities in Windows and the Internet Explorer web browser.
Web surfers visiting compromised websites had malicious code
secretly downloaded to run on their systems.
When run, the code redirected web browsers to websites
controlled by the hackers, from which personal data was downloaded
and a Trojan horse program captured keystrokes.
Kuperus joined the expert known as http-equiv to create computer
code that demonstrated the Shell.Application vulnerability. After
the attacks in June, the two anticipated the patch issued by
Microsoft would not be comprehensive and began writing a new
exploit before Microsoft actually plugged the ADODB.Stream
vulnerability.
A few hours after Microsoft issued its update, Kuperus posted
the new exploit on his site.
"We discovered that by simply switching components, the exploit
is back in business," Kuperus said.
Microsoft acknowledged that the Shell.Application has similar
capabilities to the ADODB.Stream component. However, it does not
yet have configuration changes to address the vulnerability, as it
did with ADODB.Stream, a spokeswoman said.
The software company is investigating the issue and is planning
a series of updates to IE in the coming weeks that will provide
additional security for its customers, she said.
Wilbert de Vries and Paul Roberts write for WebWereld