[PBARC] Report Warns All Browsers At Risk

[WOLF, EARNEST G]

All -

I found that firefox 0.9.1 didn't have the problem listed below (based on
the Secunia test).  All the others (IE, Mozilla, and Netscape all) "failed"
their test - that is, the Secunia page came up in the middle of the MSDN
page.

glenn



Microsoft Plugs IE; Report Warns All Browsers At Risk
July 2, 2004 (3:34 p.m. EST)
By Gregg Keizer, TechWeb News 

As if to prove the point that security is like the Dutch boy at the dike,
Microsoft on Friday released a stop-gap fix for one of several
vulnerabilities that have plagued its Internet Explorer just as a security
firm warned that virtually every browser -- not just IE -- can be spoofed by
hackers. 

The update, which Microsoft tagged as "Critical," isn't a patch per se, but
rather an change to Windows that disables the ADODB.Stream object within the
operating system's Data Access Components (DAC). 
Last week, an innovative attack launched by a Russian hacker group from
previously-infected Microsoft Internet Information Services (IIS) servers
compromised a large number of PCs with identity- and financial
information-thieving Trojan horses and key loggers. The attack exploited a
pair of vulnerabilities in Internet Explorer, one of which -- ADODB -- had
not been patched by Microsoft. 

While the Russian Web site that hosted the malicious code -- which was
surreptitiously downloaded to the compromised computers -- was taken down
last Friday to remove the immediate danger, Microsoft has still not released
a patch. The ADODB disabler is meant only as a temporary fix, said
Microsoft, until it can permanently fix IE. 
"In addition to this configuration change, Microsoft is working to provide a
series of security updates to Internet Explorer in coming weeks that will
provide additional protections," said Microsoft in a statement. Microsoft
did not offer up a timeline for any future IE patches, saying only that "a
comprehensive update will be released once it has been thoroughly tested." 

The update to disable ADODB should be downloaded and installed by all users
of Windows NT, Windows 2000, Windows XP, and Windows Server 2003, Microsoft
said. It's available on the Windows Download site, or via the Windows Update
service. Windows XP Service Pack 2 (SP2), which is expected to release in
final form this summer, is not susceptible to the ADODB vulnerability. 

Friday's update is one of the few pieces of good news IE users have heard in
the last week. 
After a rash of exploits against IE vulnerabilities -- including the Web
attack of last week, password-stealing Trojans, and a new way for hackers to
spoof, or fake, Web sites -- some security analysts questioned whether
Internet Explorer was safe enough to use. 

Even the U.S. Computer Emergency Response Team (US-CERT), part of the
federal government's Department of Homeland Security, recommended that users
consider ditching IE for an alternate such as Mozilla or Opera. 
"We're recommending one of two things," said Thomas Kristensen, the chief
technology officer at Danish security firm Secunia. "Either use Internet
Explorer under very restricted security settings -- which may not be
possible for all companies -- or install a different browser." 

Wednesday, Secunia issued a warning saying it had discovered a vulnerability
within IE that allowed scammers to spoof, or fake, the content of a site
displayed in the browser. 
On Friday, however, the security vendor modified the alert to claim that
virtually every browser, from Internet Explorer and Mozilla to Opera and
Netscape -- including browsers for both Windows and the Mac OS -- has this
flaw. 
"It's not a code vulnerability," said Secunia's Kristensen, "but a design
flaw." 

The problem stems from how browsers handle frames. "Some time ago, browser
designers decided that one site needed to be able to manipulate the content
of another, and the functionality was adopted by everyone," said Kristensen.
But hackers can use this to inject phony content -- say their own credit
card-stealing form -- into a frame of an actual trusted Web site, such as a
user's online bank. 

"In these times of phishing attacks and other scams, this is a problem,"
said Kristensen. "You're visiting a bank or an e-commerce site, and you're
certain of that site, but meanwhile, it's [actually] open in the background
to content change by hackers." 

Internet Explorer users can stymie such spoofing attacks by disabling the
"Navigate sub-frames across different domains" setting under Tools/Internet
Options/Security. 

Secunia offered up a quick test that users can run to see if their current
browser is vulnerable to this problem.