Microsoft posts work-around for IE flaw

By Robert Lemos
Posted on ZDNet News: Jul 2, 2004 8:00:00 PM

Microsoft released on Friday a work-around for an Internet Explorer vulnerability that has left Windows users open to attacks for almost nine months.

The flaw, in an ActiveX scripting component, gained notoriety last month when it became the mechanism used by a network of compromised Web sites to install a malicious program on victims' computers. Microsoft has decided to plug the hole by turning off the ability for the ActiveX component to write to the operating system. The software giant published the work-around on its Web site and directed customers to use its Windows update service to download the patch.

Though Microsoft intends the change to become a standard configuration for Windows, the software giant is working on a more comprehensive solution, said Stephen Toulouse, security program manager for Microsoft's security response center.

"It is a permanent change, but it is an interim step--we are still in the middle of our investigation," he said. "We have taken a look at the functionality in the product and seen that that functionality is really being used by attackers."

The change fixes a problem that allowed several compromised Web sites to infect visitors' PCs with a Trojan horse program, known as Download.Ject or JS.Scob.Trojan. The program would record the keystrokes and send them to an overseas e-mail address. That Internet Explorer security issue and several others lead some security experts to suggest that users should consider alternative browsers.

Microsoft's configuration change blocks the ability of the ADODB.screen ActiveX component to write to the PC's hard drive. ActiveX, which adds interactivity to Web sites viewed with Internet Explorer, has long been thought to have security issues.

This particular vulnerability has been known about for more than 9 months, said David Endler, director of incident response for security company Tipping Point.

"Though written configuration hardening instructions have been available online for a while, it's nice to finally see this particular security tweak in Internet Explorer distributed to the masses, even if it's long overdue," he said.

Microsoft continues to study this issue and expects to release a more comprehensive patch. Moreover, the company is readying a major security update for Windows XP, known as Service Pack 2, that should be out later this summer.

SponsoredWhite Papers, Webcasts, and Downloads

Driving Business Agility through SOA Connectivity & Integration Whitepaper from IBM IBM In this whitepaper, you will learn how to work smarter so you can solve ... Download Now
Designing a Balanced Architecture With Oracle RAC and VERITAS Software for Linux Dell Introducing Oracle RAC into an IT infrastructure and using Linux as the ... Download Now
Tuning Oracle on Windows for Maximum Performance on PowerEdge Servers Dell Tuning is the art and science of modifying and reconfiguring your system ... Download Now

Talkback
Most Recent of 101 Talkback(s)

Thread View
Flat View

Even Slate recommends upgrading to Firefox/Mozilla. . .: http://slate.msn.com/id/2103152/ (Read the rest); Posted by: boomslang_z Posted on: 07/09/04 You are currently: a Guest | Log in | Terms of Use

The final step Yagotta B. Kidding | 07/02/04

Thanks but no thanks mojoman_x@... | 07/02/04

Re: Thanks but no thanks Franklin_z | 07/02/04

you do relize that... doh123 | 07/02/04

Exactly Jeff Spicoli | 07/02/04

version numbering, geez nrlz | 07/05/04

Yeah, right ... Mike Rotch | 07/06/04

Re: nrlz | 07/07/04

standards for comparason... ryusen | 07/06/04

Re: nrlz | 07/07/04

what was your point? ryusen | 07/07/04

Apples and Oranges... Martin Marvinski | 07/03/04

Bottom Feeder... markgros@... | 07/06/04

The first step of many to help secure your windows eXPerience Monkey_MCSE | 07/02/04

THE FLAW IS FOUND IN ALL Enterprise Analyst | 07/02/04

wrong-o eLurker | 07/02/04

And... Jay Cash | 07/03/04

Read it yourself. Linux_Developer | 07/03/04

Mozilla is the BOMB! coder_in_Detroit | 07/02/04

For each account... IT_User | 07/03/04

I don't use IE, at all. agottschald | 07/03/04

Why Firefox? IT_User | 07/03/04

It's not quite as bloated CobraA1 | 07/04/04

Actually, there are some differences ... Mike Rotch | 07/06/04

Goooooooo Microsoft mojoman_x@... | 07/02/04

Actually, they didn't poocow666 | 07/06/04

One of these things is not like the other tic swayback | 07/02/04

Well he has to make the computer stupid believe it.. Monkey_MCSE | 07/02/04

The IT world does NOT know better. jrbeaman | 07/02/04

I see it!!! I seeeee it!!! Xunil_Sierutuf | 07/04/04

no they are both true!!! ryusen | 07/06/04

MS is fixing it Enterprise Analyst | 07/02/04

It must be nice Yagotta B. Kidding | 07/02/04

welcome to bliss LinuxHippie | 07/02/04

bliss ALL web-browsers are affected.............. Enterprise Analyst | 07/02/04

Reading comprehension is questionable! B.O.F.H. | 07/02/04

ummm eLurker | 07/02/04

Try doing a little more research next time, pal. Linux_Developer | 07/03/04

Clue Please cookingwithcat | 07/06/04

All browsers? Immanuel Tranz-Mischen | 07/02/04

If you couldn't unserstand... agottschald | 07/03/04

CERT and others already posted the solution Franklin_z | 07/02/04

Firefox is garbage ObiWayneKenobi | 07/02/04

better how? doh123 | 07/02/04

He obviously doens't know php_developer | 07/02/04

Oh, it's much better! Immanuel Tranz-Mischen | 07/02/04

Woops! Immanuel Tranz-Mischen | 07/03/04

Re: Firefox is garbage Franklin_z | 07/02/04

Re: Firefox is garbage ginseng37 | 07/02/04

"the browsing experience" Martin Marvinski | 07/03/04

Suddenly the typography on ZDNet looks awful on Firebird none none | 07/02/04

on firefox you mean? doh123 | 07/02/04

That happens from time to time Jeff Spicoli | 07/02/04

Microsoft half fixes serious IE vuln arthur-b@... | 07/02/04

Does disabling "an ActiveX component" ... Len Rooney | 07/02/04

There's a fix for that too. Immanuel Tranz-Mischen | 07/03/04

Fix it HELL - Do Away With It ENTIRELY chasster123 | 07/02/04

Ultimately they're going to have to. Immanuel Tranz-Mischen | 07/03/04

Flaw is in ALL browsers Enterprise Analyst | 07/02/04

Not quite so Bill4 | 07/02/04

Addition Bill4 | 07/02/04

*wrong* eLurker | 07/02/04

Depend on how they are made pj-xmesh | 07/03/04

That's a completely different flaw! Linux_Developer | 07/03/04

Flaw is in ONE browser IT_User | 07/03/04

Which company do you work for? agottschald | 07/03/04

Don't waste your time - he's likely a mis-directed 10-year-old. Plain Logic | 07/03/04

Isn't his employer obvious? chemist109 | 07/03/04

You don't want his job... DarbyOhara | 07/06/04

Good one... Except wrong flaw... boomslang_z | 07/03/04

Analysis Failed on Enterprise... ERROR ADODB 7878 boomslang_z | 07/03/04

Wrong poocow666 | 07/06/04

Enterprise Analist, READ YOUR LINK --- "NOT Firefox 0.9 and UP" Plain Logic | 07/03/04

*and* eLurker | 07/03/04

Donations please Iain_Peters | 07/03/04

Donations please Enterprise Analyst | 07/03/04

Will the real No_axe.. Step forward. agottschald | 07/03/04

THANK YOU ENTERISE ANALYST! George Mitchell | 07/03/04

Here's what Enterprise Analyst didn't tell you! George Mitchell | 07/03/04

Effects of enterprise analysis ,heh pj-xmesh | 07/03/04

Aaah, to heck with computers altogether FilledOut | 07/03/04

Norton and KB870669? drl_z | 07/03/04

What is safe? wink

agottschald | 07/03/04

(^-----^) pj-xmesh | 07/03/04

Theres another that i havent seen on the affected list linbegone | 07/04/04

Just toss ActiveX CobraA1 | 07/04/04

Ummm wrong! DarbyOhara | 07/06/04

Guess it depends on the sites visited FilledOut | 07/04/04

ALL browsers have this same flaw. No_Ax_to_Grind | 07/05/04

Axeeee do you read the other posts on this board? Squawkbox | 07/05/04

I really expected you to do better than this, you have disappointed me! George Mitchell | 07/05/04

Information Please Bill4 | 07/06/04

Check out the top two posts Squawkbox | 07/06/04

All major browsers HAD the LAST vulnerability Robert Carnegie | 07/08/04

Now this is funny Squawkbox | 07/05/04

Here is my michael-t | 07/05/04

Would that it were true. Immanuel Tranz-Mischen | 07/05/04

I know this is another michael-t | 07/06/04

If This Were A Linux Flaw, All Of You Crackheads Would Be Making Excuses chrislovesdana | 07/07/04

wow... ryusen | 07/08/04

Even Slate recommends upgrading to Firefox/Mozilla. . . boomslang_z | 07/09/04

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

White Papers, Webcasts, and Downloads

Driving Business Agility through SOA Connectivity & Integration Whitepaper from IBM IBM In this whitepaper, you will learn how to work smarter so you can solve ... Download Now
Designing a Balanced Architecture With Oracle RAC and VERITAS Software for Linux Dell Introducing Oracle RAC into an IT infrastructure and using Linux as the ... Download Now
Tuning Oracle on Windows for Maximum Performance on PowerEdge Servers Dell Tuning is the art and science of modifying and reconfiguring your system ... Download Now

Smartphones

Last year, many businesses deferred the purchase of new laptops in favor of smartphones, and why not? Offering phone, calendar, email, IM and Web access, they're arguably the most practical business tools. Check out the latest CNET Reviews of Blackberry devices for all the knowledge you need to make an intelligent choice.
Sleek. Thin. Light.
With its full keyboard and high-res screen, the BlackBerry® Curve™ 8900 is the perfect fit for your work and your life. Learn more

Microsoft posts work-around for IE flaw

SponsoredWhite Papers, Webcasts, and Downloads

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

White Papers, Webcasts, and Downloads

Smartphones

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More

ZDNet News & Blogs

Product Reviews

Product Blogs

White Papers & Webcasts

Downloads