News

Interim Fix Released for Critical IE Flaw

• By Scott Bekker
• July 05, 2004

"We recommend that customers immediately install this configuration change through Windows Update," Microsoft said in a statement released Friday evening.

Microsoft's decision to release the configuration update 11 days before its next regularly scheduled Patch Tuesday on July 13 underscores what a serious problem the IE flaw represents. It is only the second time Microsoft has patched a flaw on any day other than the second Tuesday of the month since the company moved to a monthly patch cycle in October.

Meanwhile, the new patch protects against one specific way attackers can use the IE flaw, but more comprehensive fixes for Internet Explorer are necessary. Microsoft says it is working on releasing a comprehensive update of IE. The stopgap configuration update is currently available for Windows XP, Windows Server 2003 and Windows 2000. Microsoft is working on versions for Windows 98 and Windows Me.

The Download.Ject attack is one of the rare cases where a major vulnerability exploited by an attack in the wild has not already been patched by Microsoft days, weeks or months before the exploit code emerged.

Download.Ject relies on two vulnerabilities. One, in the Internet Information Services (IIS) 5.0 component of Windows 2000, was patched by Microsoft in April. The other, in Internet Explorer, apparently emerged with an adware exploit in early June, and had not been fixed despite its severity. The unpatched flaw in the Web browser gives attackers the opportunity to execute code on a user's computer without any user action other than visiting a URL where malicious code lurked.

While it is relatively hard for attackers to lure large numbers of users to sites created for such malicious purposes, the Download.Ject attackers used the IIS 5.0 flaw to compromise servers at several high-traffic sites. With no IE patch available for the flaw, end users had no defense against the two-part attack. Several prominent security officials recommended users abandon IE altogether until the problems were fixed.

"We have been working around-the-clock to further address the criminal malware targeting Internet Explorer users," Microsoft said in the statement announcing the configuration update.

The company's first response upon learning of Download.Ject on Thursday, June 24, was to work with law enforcement authorities and ISPs to shut down a Web server in Russia that Microsoft says was the origination point of the attack.

Microsoft described its configuration update as improving resiliency to protect against the Download.Ject attack. The Internet Storm Center, run by the SANS Institute, explains that the patch turns off the ADODB.Stream ActiveX Control that was used to install malware on PCs in the original attack. "However, … even after 'ADODB.Stream' is disabled, it is still possible to launch programs on the users system without user interaction," SANS warned.

Microsoft said further security updates to Internet Explorer will arrive "in coming weeks." Microsoft has said that technologies in Windows XP Service Pack 2 protect IE users against vulnerabilities like those used in Download.Ject, but the company offered no more definitive word on when SP2 would ship.

The Microsoft statement also indicated that an overhaul of Internet Explorer for several platforms was on the way. "A comprehensive update for all supported versions of Internet Explorer will be released once it has been thoroughly tested and found to be effective across a wide variety of supported versions and configurations of Internet Explorer."