Serious security flaw found in IE

[Bill Sanderson]

Folks using these work-arounds should be aware that at least one of them
will break Outlook Web Access, which may be of significance to anyone in an
office using Small Business Server, or in larger networks using Exchange and
Outlook as well.

I recommend reversing these work-arounds prior to applying todays patch--but
I haven't yet read what Microsoft's advice is about this.

I applied the work arounds recommended in the advisory.
Should work until:
http://blogs.technet.com/msrc/archi...on-for-december-2008-out-of-band-release.aspx
Microsoft Security Bulletin Advance Notification for December 2008
This is an advance notification of an out-of-band security bulletin that
Microsoft is intending to release on December 17, 2008.
Source: http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx

You should subscribe to a security feed or alert from Microsoft,
then you won't have to wait for someone to else to publish it.
I get this feed http://blogs.technet.com/msrc/default.aspx

mae

| Here is the official notification from Microsoft which was first
published
| on December 10, 2008 and updated on December 15:
| http://www.microsoft.com/technet/security/advisory/961051.mspx
|
| Alan
|
| | > Here's a News Article carried today by the BBC at
| > http://news.bbc.co.uk/2/hi/technology/7784908.stm
| >
| > Serious security flaw found in IE
| >
| > Users of Microsoft's Internet Explorer are being urged by experts to
| > switch to a rival until a serious security flaw has been fixed.
| >
| > The flaw in Microsoft's Internet Explorer could allow criminals to
take
| > control of people's computers and steal their passwords, internet
experts
| > say.
| >
| > Microsoft urged people to be vigilant while it investigated and
prepared
| > an emergency patch to resolve it.
| >
| > Internet Explorer is used by the vast majority of the world's computer
| > users.
| >
| >
| > "Microsoft is continuing its investigation of public reports of
attacks
| > against a new vulnerability in Internet Explorer," said the firm in a
| > security advisory alert about the flaw.
| >
| > Microsoft says it has detected attacks against IE 7.0 but said the
| > "underlying vulnerability" was present in all versions of the browser.
| >
| > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
| > to the flaw Microsoft has identified.
| >
| > Browser bait
| >
| > "In this case, hackers found the hole before Microsoft did," said Rick
| > Ferguson, senior security advisor at Trend Micro. "This is never a
good
| > thing."
| >
| > As many as 10,000 websites have been compromised since the
vulnerability
| > was discovered, he said.
| >
| > "What we've seen from the exploit so far is it stealing game
passwords,
| > but it's inevitable that it will be adapted by criminals," he said.
"It's
| > just a question of modifying the payload the trojan installs."
| >
| >
| > Said Mr Ferguson: "If users can find an alternative browser, then
that's
| > good mitigation against the threat."
| >
| > But Microsoft counselled against taking such action.
| >
| > "I cannot recommend people switch due to this one flaw," said John
Curran,
| > head of Microsoft UK's Windows group.
| >
| > He added: "We're trying to get this resolved as soon as possible.
| >
| > "At present, this exploit only seems to affect 0.02% of internet
sites,"
| > said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
| > IE7 users at the moment, but could well encompass other versions in
time."
| >
| > Richard Cox, chief information officer of anti-spam body The Spamhaus
| > Project and an expert on privacy and cyber security, echoed Trend
Micro's
| > warning.
| >
| > "It won't be long before someone reverse engineers this exploit for
more
| > fraudulent purposes. Trend Mico's advice [of switching to an
alternative
| > web browser] is very sensible," he said.
| >
| > PC Pro magazine's security editor, Darien Graham-Smith, said that
there
| > was a virtual arms race going on, with hackers always on the look out
for
| > new vulnerabilities.
| >
| > "The message needs to get out that this malicious code can be planted
on
| > any web site, so simple careful browsing isn't enough."
| >
| > "It's a shame Microsoft have not been able to fix this more quickly,
but
| > letting people know about this flaw was the right thing to do. If you
keep
| > flaws like this quiet, people are put at risk without knowing it."
| >
| > "Every browser is susceptible to vulnerabilities from time to time.
It's
| > fine to say 'don't use Internet Explorer' for now, but other browsers
may
| > well find themselves in a similar situation," he added.
| >
| >
| >
|
|

 

[Bill Sanderson]

They do indeed. Although it is appropriate to blame the folks who hack
legitimate sites and install malware, clearly the admins of those legitimate
sites have not been doing all they could have.

(and so I say, as an admin of half a dozen such sites. It's a balancing
act--I know very little about web authoring, MySQL, or the various packages
that various developers have used over time to develop the sites I have
overall charge of. I try to stay on top of security issues, and I do
discuss the specific issue of SQL injection attacks with our developers just
to see how they respond. This stuff is not cut and dried--there isn't any
simple testing tool that can tell you whether or not your site is safe, as
far as I can tell--it is a question of the skills of your staff. )

Let us not forget the `good` web site devlopers have a certain
responsibility
here.

Stu

I managed to not broadcast this issue to the users I support--but several
people either asked about it or sent me information about the issue to
make
sure I knew about it.

I wasn't yet ready to put into effect the work-arounds Microsoft has
supplied, given my understanding of the extent of the risk--and I see no
point in creating fear and doubt without a clear set of actions to
prescribe.

I did write everyone this morning asking that they apply today's patch as
soon as it is convenient for them, and I'll be doing that manually on
systems I can reach when it is available.

This was a close call--the code to exploit the vulnerability was publicly
available since December 10th--meaning that anyone could pick it up and
make
use of it. Fortunately, it required that you visit a web site to be
infected--it isn't something that can directly infect from an email
message.

There were some innocent sites that were hacked to distribute this
malicious
code--which is a good part of where the real risk lies for users who
don't
frequent porn sites.

I doubt that my users were making use of the features of Internet
Explorer
that would be disabled by the simpler work-arounds for this exploit, but
I'm
not certain of that, and did't want to have to fix this twice--once via a
work-around and then need to reverse that and install the final patch.

I'm glad they were able to produce a patch quickly.

--

Panic over Bill? You know, maybe I`m too laid back with these security
issues. I can never understand why there is this tendency for a `knee
jerk`
reaction with associated buzz on these NGs - like bees which have just
been
awoken from their hives. Everything buzzing around (deliberating and
speculating) while someone works quietly in the background resolving
the
issue. Perhaps there are times when ignorance is bliss ;)

Stu

:

A patch for this will be issued tomorrow, as others in this thead have
noted
(oops--today!)

I'd advise installing this patch.

That's what I plan to do.

--

Here's a News Article carried today by the BBC at
http://news.bbc.co.uk/2/hi/technology/7784908.stm

Serious security flaw found in IE

Users of Microsoft's Internet Explorer are being urged by experts to
switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals to
take
control of people's computers and steal their passwords, internet
experts
say.

Microsoft urged people to be vigilant while it investigated and
prepared
an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's
computer
users.


"Microsoft is continuing its investigation of public reports of
attacks
against a new vulnerability in Internet Explorer," said the firm in
a
security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the
"underlying vulnerability" was present in all versions of the
browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said
Rick
Ferguson, senior security advisor at Trend Micro. "This is never a
good
thing."

As many as 10,000 websites have been compromised since the
vulnerability
was discovered, he said.

"What we've seen from the exploit so far is it stealing game
passwords,
but it's inevitable that it will be adapted by criminals," he said.
"It's
just a question of modifying the payload the trojan installs."


Said Mr Ferguson: "If users can find an alternative browser, then
that's
good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John
Curran,
head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet
sites,"
said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
IE7 users at the moment, but could well encompass other versions in
time."

Richard Cox, chief information officer of anti-spam body The
Spamhaus
Project and an expert on privacy and cyber security, echoed Trend
Micro's
warning.

"It won't be long before someone reverse engineers this exploit for
more
fraudulent purposes. Trend Mico's advice [of switching to an
alternative
web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that
there
was a virtual arms race going on, with hackers always on the look
out
for
new vulnerabilities.

"The message needs to get out that this malicious code can be
planted
on
any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more quickly,
but
letting people know about this flaw was the right thing to do. If
you
keep
flaws like this quiet, people are put at risk without knowing it."

"Every browser is susceptible to vulnerabilities from time to time.
It's
fine to say 'don't use Internet Explorer' for now, but other
browsers
may
well find themselves in a similar situation," he added.

 

[Bill Sanderson]

Sure enough, applying the reversal .REG file given in the Microsoft document
referred to by this diary entry reversed the symptoms on the machine in
question. The regular user declares complete ignorance of this issue--and I
believe him. There's a supervisory staff person who sometimes uses his
machine and is not in today. He's next on my list...

 

[robinb]

really? I thought you could not do the updates via firefox, I had tried in
the past do you have the ie tab ad on? I do not- I am wondering if that
makes a difference?
robin

Why? I always run Microsoft Update on Firefox. (IE Tab add-on may be
required.)

I use firefox exclusivity except for Windows updates
I will wait for tomorrow to get the patch
and my clients only use firefox too
robin

Here's a News Article carried today by the BBC at
http://news.bbc.co.uk/2/hi/technology/7784908.stm

Serious security flaw found in IE

Users of Microsoft's Internet Explorer are being urged by experts to
switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals to take
control of people's computers and steal their passwords, internet
experts say.

Microsoft urged people to be vigilant while it investigated and prepared
an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's computer
users.


"Microsoft is continuing its investigation of public reports of attacks
against a new vulnerability in Internet Explorer," said the firm in a
security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the
"underlying vulnerability" was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said Rick
Ferguson, senior security advisor at Trend Micro. "This is never a good
thing."

As many as 10,000 websites have been compromised since the vulnerability
was discovered, he said.

"What we've seen from the exploit so far is it stealing game passwords,
but it's inevitable that it will be adapted by criminals," he said.
"It's just a question of modifying the payload the trojan installs."


Said Mr Ferguson: "If users can find an alternative browser, then that's
good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John
Curran, head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet sites,"
said Mr Curran. "In terms of vulnerability, it only seems to be
affecting IE7 users at the moment, but could well encompass other
versions in time."

Richard Cox, chief information officer of anti-spam body The Spamhaus
Project and an expert on privacy and cyber security, echoed Trend
Micro's warning.

"It won't be long before someone reverse engineers this exploit for more
fraudulent purposes. Trend Mico's advice [of switching to an alternative
web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that there
was a virtual arms race going on, with hackers always on the look out
for new vulnerabilities.

"The message needs to get out that this malicious code can be planted on
any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more quickly, but
letting people know about this flaw was the right thing to do. If you
keep flaws like this quiet, people are put at risk without knowing it."

"Every browser is susceptible to vulnerabilities from time to time. It's
fine to say 'don't use Internet Explorer' for now, but other browsers
may well find themselves in a similar situation," he added.

 

[robinb]

of course everyone should install the patch- that is a given
robin

A patch for this will be issued tomorrow, as others in this thead have
noted (oops--today!)

I'd advise installing this patch.

That's what I plan to do.

--

Here's a News Article carried today by the BBC at
http://news.bbc.co.uk/2/hi/technology/7784908.stm

Serious security flaw found in IE

Users of Microsoft's Internet Explorer are being urged by experts to
switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals to take
control of people's computers and steal their passwords, internet experts
say.

Microsoft urged people to be vigilant while it investigated and prepared
an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's computer
users.


"Microsoft is continuing its investigation of public reports of attacks
against a new vulnerability in Internet Explorer," said the firm in a
security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the
"underlying vulnerability" was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said Rick
Ferguson, senior security advisor at Trend Micro. "This is never a good
thing."

As many as 10,000 websites have been compromised since the vulnerability
was discovered, he said.

"What we've seen from the exploit so far is it stealing game passwords,
but it's inevitable that it will be adapted by criminals," he said. "It's
just a question of modifying the payload the trojan installs."


Said Mr Ferguson: "If users can find an alternative browser, then that's
good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John
Curran, head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet sites,"
said Mr Curran. "In terms of vulnerability, it only seems to be affecting
IE7 users at the moment, but could well encompass other versions in
time."

Richard Cox, chief information officer of anti-spam body The Spamhaus
Project and an expert on privacy and cyber security, echoed Trend Micro's
warning.

"It won't be long before someone reverse engineers this exploit for more
fraudulent purposes. Trend Mico's advice [of switching to an alternative
web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that there
was a virtual arms race going on, with hackers always on the look out for
new vulnerabilities.

"The message needs to get out that this malicious code can be planted on
any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more quickly, but
letting people know about this flaw was the right thing to do. If you
keep flaws like this quiet, people are put at risk without knowing it."

"Every browser is susceptible to vulnerabilities from time to time. It's
fine to say 'don't use Internet Explorer' for now, but other browsers may
well find themselves in a similar situation," he added.

 

[robinb]

so where is this patch? I have not gotten it yet
robin

Folks using these work-arounds should be aware that at least one of them
will break Outlook Web Access, which may be of significance to anyone in
an office using Small Business Server, or in larger networks using
Exchange and Outlook as well.

I recommend reversing these work-arounds prior to applying todays
patch--but I haven't yet read what Microsoft's advice is about this.

I applied the work arounds recommended in the advisory.
Should work until:
http://blogs.technet.com/msrc/archi...on-for-december-2008-out-of-band-release.aspx
Microsoft Security Bulletin Advance Notification for December 2008
This is an advance notification of an out-of-band security bulletin that
Microsoft is intending to release on December 17, 2008.
Source: http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx

You should subscribe to a security feed or alert from Microsoft,
then you won't have to wait for someone to else to publish it.
I get this feed http://blogs.technet.com/msrc/default.aspx

mae

| Here is the official notification from Microsoft which was first
published
| on December 10, 2008 and updated on December 15:
| http://www.microsoft.com/technet/security/advisory/961051.mspx
|
| Alan
|
| | > Here's a News Article carried today by the BBC at
| > http://news.bbc.co.uk/2/hi/technology/7784908.stm
| >
| > Serious security flaw found in IE
| >
| > Users of Microsoft's Internet Explorer are being urged by experts to
| > switch to a rival until a serious security flaw has been fixed.
| >
| > The flaw in Microsoft's Internet Explorer could allow criminals to
take
| > control of people's computers and steal their passwords, internet
experts
| > say.
| >
| > Microsoft urged people to be vigilant while it investigated and
prepared
| > an emergency patch to resolve it.
| >
| > Internet Explorer is used by the vast majority of the world's
computer
| > users.
| >
| >
| > "Microsoft is continuing its investigation of public reports of
attacks
| > against a new vulnerability in Internet Explorer," said the firm in a
| > security advisory alert about the flaw.
| >
| > Microsoft says it has detected attacks against IE 7.0 but said the
| > "underlying vulnerability" was present in all versions of the
browser.
| >
| > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
| > to the flaw Microsoft has identified.
| >
| > Browser bait
| >
| > "In this case, hackers found the hole before Microsoft did," said
Rick
| > Ferguson, senior security advisor at Trend Micro. "This is never a
good
| > thing."
| >
| > As many as 10,000 websites have been compromised since the
vulnerability
| > was discovered, he said.
| >
| > "What we've seen from the exploit so far is it stealing game
passwords,
| > but it's inevitable that it will be adapted by criminals," he said.
"It's
| > just a question of modifying the payload the trojan installs."
| >
| >
| > Said Mr Ferguson: "If users can find an alternative browser, then
that's
| > good mitigation against the threat."
| >
| > But Microsoft counselled against taking such action.
| >
| > "I cannot recommend people switch due to this one flaw," said John
Curran,
| > head of Microsoft UK's Windows group.
| >
| > He added: "We're trying to get this resolved as soon as possible.
| >
| > "At present, this exploit only seems to affect 0.02% of internet
sites,"
| > said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
| > IE7 users at the moment, but could well encompass other versions in
time."
| >
| > Richard Cox, chief information officer of anti-spam body The Spamhaus
| > Project and an expert on privacy and cyber security, echoed Trend
Micro's
| > warning.
| >
| > "It won't be long before someone reverse engineers this exploit for
more
| > fraudulent purposes. Trend Mico's advice [of switching to an
alternative
| > web browser] is very sensible," he said.
| >
| > PC Pro magazine's security editor, Darien Graham-Smith, said that
there
| > was a virtual arms race going on, with hackers always on the look out
for
| > new vulnerabilities.
| >
| > "The message needs to get out that this malicious code can be planted
on
| > any web site, so simple careful browsing isn't enough."
| >
| > "It's a shame Microsoft have not been able to fix this more quickly,
but
| > letting people know about this flaw was the right thing to do. If you
keep
| > flaws like this quiet, people are put at risk without knowing it."
| >
| > "Every browser is susceptible to vulnerabilities from time to time.
It's
| > fine to say 'don't use Internet Explorer' for now, but other browsers
may
| > well find themselves in a similar situation," he added.
| >
| >
| >
|
|

 

[robinb]

wow it works!
I installed the ie tab add on and I can do the windows update- only there is
nothing there yet for the patch so I cannot test it
robin

really? I thought you could not do the updates via firefox, I had tried in
the past do you have the ie tab ad on? I do not- I am wondering if that
makes a difference?
robin

Why? I always run Microsoft Update on Firefox. (IE Tab add-on may be
required.)

I use firefox exclusivity except for Windows updates
I will wait for tomorrow to get the patch
and my clients only use firefox too
robin


Here's a News Article carried today by the BBC at
http://news.bbc.co.uk/2/hi/technology/7784908.stm

Serious security flaw found in IE

Users of Microsoft's Internet Explorer are being urged by experts to
switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals to take
control of people's computers and steal their passwords, internet
experts say.

Microsoft urged people to be vigilant while it investigated and
prepared an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's computer
users.


"Microsoft is continuing its investigation of public reports of attacks
against a new vulnerability in Internet Explorer," said the firm in a
security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the
"underlying vulnerability" was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said Rick
Ferguson, senior security advisor at Trend Micro. "This is never a good
thing."

As many as 10,000 websites have been compromised since the
vulnerability was discovered, he said.

"What we've seen from the exploit so far is it stealing game passwords,
but it's inevitable that it will be adapted by criminals," he said.
"It's just a question of modifying the payload the trojan installs."


Said Mr Ferguson: "If users can find an alternative browser, then
that's good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John
Curran, head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet
sites," said Mr Curran. "In terms of vulnerability, it only seems to be
affecting IE7 users at the moment, but could well encompass other
versions in time."

Richard Cox, chief information officer of anti-spam body The Spamhaus
Project and an expert on privacy and cyber security, echoed Trend
Micro's warning.

"It won't be long before someone reverse engineers this exploit for
more fraudulent purposes. Trend Mico's advice [of switching to an
alternative web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that there
was a virtual arms race going on, with hackers always on the look out
for new vulnerabilities.

"The message needs to get out that this malicious code can be planted
on any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more quickly,
but letting people know about this flaw was the right thing to do. If
you keep flaws like this quiet, people are put at risk without knowing
it."

"Every browser is susceptible to vulnerabilities from time to time.
It's fine to say 'don't use Internet Explorer' for now, but other
browsers may well find themselves in a similar situation," he added.

 

[gene]

wow it works!
I installed the ie tab add on and I can do the windows update- only there is
nothing there yet for the patch so I cannot test it
robin

I quit trying in Opera. I use IE7 as a backup for those sites that are
hostile or diffidently indifferent to Opera, so I made the mods. MS
better hurry up, tho, I'm getting carpal tunnel from all the scripts
messages I've messages had to ok (the most on one page so far is about
20).

Gene

 

[Anonymous Bob]

Sure enough, applying the reversal .REG file given in the Microsoft document
referred to by this diary entry reversed the symptoms on the machine in
question. The regular user declares complete ignorance of this issue--and I
believe him. There's a supervisory staff person who sometimes uses his
machine and is not in today. He's next on my list...

Thank, Bill.

The Security Advisory in question has been updated today and there is no reg
file there now:
http://www.microsoft.com/technet/security/advisory/961051.mspx

I don't think it will cause me any problems, but I *can* imagine something
not working far in the future when we all will have forgotten this issue.

 

[Bill Sanderson]

The web "meeting" to talk about it is scheduled for 1 pacific time, which is
5 our time? It wouldn't surprise me if it came out quite late in the day.
I have just checked in Vista and at the MSRC blog and seen nothing yet.

so where is this patch? I have not gotten it yet
robin

Folks using these work-arounds should be aware that at least one of them
will break Outlook Web Access, which may be of significance to anyone in
an office using Small Business Server, or in larger networks using
Exchange and Outlook as well.

I recommend reversing these work-arounds prior to applying todays
patch--but I haven't yet read what Microsoft's advice is about this.

I applied the work arounds recommended in the advisory.
Should work until:
http://blogs.technet.com/msrc/archi...on-for-december-2008-out-of-band-release.aspx
Microsoft Security Bulletin Advance Notification for December 2008
This is an advance notification of an out-of-band security bulletin that
Microsoft is intending to release on December 17, 2008.
Source: http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx

You should subscribe to a security feed or alert from Microsoft,
then you won't have to wait for someone to else to publish it.
I get this feed http://blogs.technet.com/msrc/default.aspx

mae

| Here is the official notification from Microsoft which was first
published
| on December 10, 2008 and updated on December 15:
| http://www.microsoft.com/technet/security/advisory/961051.mspx
|
| Alan
|
| | > Here's a News Article carried today by the BBC at
| > http://news.bbc.co.uk/2/hi/technology/7784908.stm
| >
| > Serious security flaw found in IE
| >
| > Users of Microsoft's Internet Explorer are being urged by experts to
| > switch to a rival until a serious security flaw has been fixed.
| >
| > The flaw in Microsoft's Internet Explorer could allow criminals to
take
| > control of people's computers and steal their passwords, internet
experts
| > say.
| >
| > Microsoft urged people to be vigilant while it investigated and
prepared
| > an emergency patch to resolve it.
| >
| > Internet Explorer is used by the vast majority of the world's
computer
| > users.
| >
| >
| > "Microsoft is continuing its investigation of public reports of
attacks
| > against a new vulnerability in Internet Explorer," said the firm in
a
| > security advisory alert about the flaw.
| >
| > Microsoft says it has detected attacks against IE 7.0 but said the
| > "underlying vulnerability" was present in all versions of the
browser.
| >
| > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
| > to the flaw Microsoft has identified.
| >
| > Browser bait
| >
| > "In this case, hackers found the hole before Microsoft did," said
Rick
| > Ferguson, senior security advisor at Trend Micro. "This is never a
good
| > thing."
| >
| > As many as 10,000 websites have been compromised since the
vulnerability
| > was discovered, he said.
| >
| > "What we've seen from the exploit so far is it stealing game
passwords,
| > but it's inevitable that it will be adapted by criminals," he said.
"It's
| > just a question of modifying the payload the trojan installs."
| >
| >
| > Said Mr Ferguson: "If users can find an alternative browser, then
that's
| > good mitigation against the threat."
| >
| > But Microsoft counselled against taking such action.
| >
| > "I cannot recommend people switch due to this one flaw," said John
Curran,
| > head of Microsoft UK's Windows group.
| >
| > He added: "We're trying to get this resolved as soon as possible.
| >
| > "At present, this exploit only seems to affect 0.02% of internet
sites,"
| > said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
| > IE7 users at the moment, but could well encompass other versions in
time."
| >
| > Richard Cox, chief information officer of anti-spam body The
Spamhaus
| > Project and an expert on privacy and cyber security, echoed Trend
Micro's
| > warning.
| >
| > "It won't be long before someone reverse engineers this exploit for
more
| > fraudulent purposes. Trend Mico's advice [of switching to an
alternative
| > web browser] is very sensible," he said.
| >
| > PC Pro magazine's security editor, Darien Graham-Smith, said that
there
| > was a virtual arms race going on, with hackers always on the look
out
for
| > new vulnerabilities.
| >
| > "The message needs to get out that this malicious code can be
planted on
| > any web site, so simple careful browsing isn't enough."
| >
| > "It's a shame Microsoft have not been able to fix this more quickly,
but
| > letting people know about this flaw was the right thing to do. If
you
keep
| > flaws like this quiet, people are put at risk without knowing it."
| >
| > "Every browser is susceptible to vulnerabilities from time to time.
It's
| > fine to say 'don't use Internet Explorer' for now, but other
browsers
may
| > well find themselves in a similar situation," he added.
| >
| >
| >
|
|

 

[Bill Sanderson]

It is still there--the machine I was looking at had had the workaround for
"disable xml island....." applied to it. If you expand that heading under
workarounds, the .REG to reverse it is still there--it is just text in the
article--you have to cut and paste it to make it work.

There are a number of workarounds--if I ever catch whoever did this one,
I'll ask how he picked it...

 

[Bill Sanderson]

There's likely some risk. We haven't seen the patch, so we don't know if
there are issues with it in specific situations yet. I'm certain that the
average home user, which is who I tend to address here, should apply it
asap. If you support corporate desktops, and use IE heavily in business
applications, you might want to read and test for a short time....

of course everyone should install the patch- that is a given
robin

A patch for this will be issued tomorrow, as others in this thead have
noted (oops--today!)

I'd advise installing this patch.

That's what I plan to do.

--

Here's a News Article carried today by the BBC at
http://news.bbc.co.uk/2/hi/technology/7784908.stm

Serious security flaw found in IE

Users of Microsoft's Internet Explorer are being urged by experts to
switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals to take
control of people's computers and steal their passwords, internet
experts say.

Microsoft urged people to be vigilant while it investigated and prepared
an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's computer
users.


"Microsoft is continuing its investigation of public reports of attacks
against a new vulnerability in Internet Explorer," said the firm in a
security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the
"underlying vulnerability" was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said Rick
Ferguson, senior security advisor at Trend Micro. "This is never a good
thing."

As many as 10,000 websites have been compromised since the vulnerability
was discovered, he said.

"What we've seen from the exploit so far is it stealing game passwords,
but it's inevitable that it will be adapted by criminals," he said.
"It's just a question of modifying the payload the trojan installs."


Said Mr Ferguson: "If users can find an alternative browser, then that's
good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John
Curran, head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet sites,"
said Mr Curran. "In terms of vulnerability, it only seems to be
affecting IE7 users at the moment, but could well encompass other
versions in time."

Richard Cox, chief information officer of anti-spam body The Spamhaus
Project and an expert on privacy and cyber security, echoed Trend
Micro's warning.

"It won't be long before someone reverse engineers this exploit for more
fraudulent purposes. Trend Mico's advice [of switching to an alternative
web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that there
was a virtual arms race going on, with hackers always on the look out
for new vulnerabilities.

"The message needs to get out that this malicious code can be planted on
any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more quickly, but
letting people know about this flaw was the right thing to do. If you
keep flaws like this quiet, people are put at risk without knowing it."

"Every browser is susceptible to vulnerabilities from time to time. It's
fine to say 'don't use Internet Explorer' for now, but other browsers
may well find themselves in a similar situation," he added.

 

[gene]

It is still there--the machine I was looking at had had the workaround for
"disable xml island....." applied to it. If you expand that heading under
workarounds, the .REG to reverse it is still there--it is just text in the
article--you have to cut and paste it to make it work.

There are a number of workarounds--if I ever catch whoever did this one,
I'll ask how he picked it...

Where did the workarounds go? I assumed that we would need to reverse
the changes before downloading the update, or is that unnecessary or
inadvisable?

Gene

 

[Anonymous Bob]

It is still there--the machine I was looking at had had the workaround for
"disable xml island....." applied to it. If you expand that heading under
workarounds, the .REG to reverse it is still there--it is just text in the
article--you have to cut and paste it to make it work.

There are a number of workarounds--if I ever catch whoever did this one,
I'll ask how he picked it...

The only thing I can figure is that you and I are looking at different
links:
http://www.microsoft.com/technet/security/advisory/961051.mspx

I see no workarounds header.

Puzzled in Florida

 

[Anonymous Bob]

The only thing I can figure is that you and I are looking at different
links:
http://www.microsoft.com/technet/security/advisory/961051.mspx

I see no workarounds header.

I found something on technet:
http://blogs.technet.com/swi/archiv...-workarounds-from-the-recent-IE-advisory.aspx

There's a zip file at the bottom of the page. Read the article and carefully
follow the instructions.

 

[Anonymous Bob]

I found something on technet:
http://blogs.technet.com/swi/archiv...-workarounds-from-the-recent-IE-advisory.aspx

There's a zip file at the bottom of the page. Read the article and carefully
follow the instructions.

Well...that didn't work!

From scesrv.log:
"----Configure File Security...

File security configuration completed with error."

What's that security phone number you like to give?
;-)

 

[gene]

I found something on technet:
http://blogs.technet.com/swi/archiv...-workarounds-from-the-recent-IE-advisory.aspx

There's a zip file at the bottom of the page. Read the article and carefully
follow the instructions.

I prefer text rather than tables for something like this. One part of
it is maybe easier to understand at
http://support.microsoft.com/kb/961051

for users of Word97, a WordPad security problem:
http://www.microsoft.com/technet/security/advisory/960906.mspx

Otherwise, several pages of google search and I haven't found the
original Wordarounds text. But I did discover that the security update
can be downloaded from MS as a file with Opera.

Gene

 

[Alan]

Bill,

Are you in the Atlantic Time Zone?

Alan

The web "meeting" to talk about it is scheduled for 1 pacific time, which
is 5 our time? It wouldn't surprise me if it came out quite late in the
day. I have just checked in Vista and at the MSRC blog and seen nothing
yet.

so where is this patch? I have not gotten it yet
robin

Folks using these work-arounds should be aware that at least one of them
will break Outlook Web Access, which may be of significance to anyone in
an office using Small Business Server, or in larger networks using
Exchange and Outlook as well.

I recommend reversing these work-arounds prior to applying todays
patch--but I haven't yet read what Microsoft's advice is about this.


I applied the work arounds recommended in the advisory.
Should work until:
http://blogs.technet.com/msrc/archi...on-for-december-2008-out-of-band-release.aspx
Microsoft Security Bulletin Advance Notification for December 2008
This is an advance notification of an out-of-band security bulletin
that
Microsoft is intending to release on December 17, 2008.
Source:
http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx

You should subscribe to a security feed or alert from Microsoft,
then you won't have to wait for someone to else to publish it.
I get this feed http://blogs.technet.com/msrc/default.aspx

mae

| Here is the official notification from Microsoft which was first
published
| on December 10, 2008 and updated on December 15:
| http://www.microsoft.com/technet/security/advisory/961051.mspx
|
| Alan
|
| | > Here's a News Article carried today by the BBC at
| > http://news.bbc.co.uk/2/hi/technology/7784908.stm
| >
| > Serious security flaw found in IE
| >
| > Users of Microsoft's Internet Explorer are being urged by experts
to
| > switch to a rival until a serious security flaw has been fixed.
| >
| > The flaw in Microsoft's Internet Explorer could allow criminals to
take
| > control of people's computers and steal their passwords, internet
experts
| > say.
| >
| > Microsoft urged people to be vigilant while it investigated and
prepared
| > an emergency patch to resolve it.
| >
| > Internet Explorer is used by the vast majority of the world's
computer
| > users.
| >
| >
| > "Microsoft is continuing its investigation of public reports of
attacks
| > against a new vulnerability in Internet Explorer," said the firm in
a
| > security advisory alert about the flaw.
| >
| > Microsoft says it has detected attacks against IE 7.0 but said the
| > "underlying vulnerability" was present in all versions of the
browser.
| >
| > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
| > to the flaw Microsoft has identified.
| >
| > Browser bait
| >
| > "In this case, hackers found the hole before Microsoft did," said
Rick
| > Ferguson, senior security advisor at Trend Micro. "This is never a
good
| > thing."
| >
| > As many as 10,000 websites have been compromised since the
vulnerability
| > was discovered, he said.
| >
| > "What we've seen from the exploit so far is it stealing game
passwords,
| > but it's inevitable that it will be adapted by criminals," he said.
"It's
| > just a question of modifying the payload the trojan installs."
| >
| >
| > Said Mr Ferguson: "If users can find an alternative browser, then
that's
| > good mitigation against the threat."
| >
| > But Microsoft counselled against taking such action.
| >
| > "I cannot recommend people switch due to this one flaw," said John
Curran,
| > head of Microsoft UK's Windows group.
| >
| > He added: "We're trying to get this resolved as soon as possible.
| >
| > "At present, this exploit only seems to affect 0.02% of internet
sites,"
| > said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
| > IE7 users at the moment, but could well encompass other versions in
time."
| >
| > Richard Cox, chief information officer of anti-spam body The
Spamhaus
| > Project and an expert on privacy and cyber security, echoed Trend
Micro's
| > warning.
| >
| > "It won't be long before someone reverse engineers this exploit for
more
| > fraudulent purposes. Trend Mico's advice [of switching to an
alternative
| > web browser] is very sensible," he said.
| >
| > PC Pro magazine's security editor, Darien Graham-Smith, said that
there
| > was a virtual arms race going on, with hackers always on the look
out
for
| > new vulnerabilities.
| >
| > "The message needs to get out that this malicious code can be
planted on
| > any web site, so simple careful browsing isn't enough."
| >
| > "It's a shame Microsoft have not been able to fix this more
quickly, but
| > letting people know about this flaw was the right thing to do. If
you
keep
| > flaws like this quiet, people are put at risk without knowing it."
| >
| > "Every browser is susceptible to vulnerabilities from time to time.
It's
| > fine to say 'don't use Internet Explorer' for now, but other
browsers
may
| > well find themselves in a similar situation," he added.
| >
| >
| >
|
|

 

[Bill Sanderson]

East coast US--same as new york city.

I figured out what was going on, besides my fuzzy math about how many hours
there are between me and Redmond.

There either is not a patch for my particular combination of OS and IE, or
it hasn't been distributed yet.

I'm running the public beta of IE8 on the public beta of Vista Service Pack
2. An MVP is checking on whether there should be such a patch--there is in
some other IE8 instances--but if there is one, I have not seen it.

Consequently I was looking the wrong place for a patch--when I went and
looked on the server, it was there!

--

Bill,

Are you in the Atlantic Time Zone?

Alan

The web "meeting" to talk about it is scheduled for 1 pacific time, which
is 5 our time? It wouldn't surprise me if it came out quite late in the
day. I have just checked in Vista and at the MSRC blog and seen nothing
yet.

so where is this patch? I have not gotten it yet
robin

Folks using these work-arounds should be aware that at least one of
them will break Outlook Web Access, which may be of significance to
anyone in an office using Small Business Server, or in larger networks
using Exchange and Outlook as well.

I recommend reversing these work-arounds prior to applying todays
patch--but I haven't yet read what Microsoft's advice is about this.


I applied the work arounds recommended in the advisory.
Should work until:
http://blogs.technet.com/msrc/archi...on-for-december-2008-out-of-band-release.aspx
Microsoft Security Bulletin Advance Notification for December 2008
This is an advance notification of an out-of-band security bulletin
that
Microsoft is intending to release on December 17, 2008.
Source:
http://www.microsoft.com/technet/security/Bulletin/ms08-dec.mspx

You should subscribe to a security feed or alert from Microsoft,
then you won't have to wait for someone to else to publish it.
I get this feed http://blogs.technet.com/msrc/default.aspx

mae

| Here is the official notification from Microsoft which was first
published
| on December 10, 2008 and updated on December 15:
| http://www.microsoft.com/technet/security/advisory/961051.mspx
|
| Alan
|
| | > Here's a News Article carried today by the BBC at
| > http://news.bbc.co.uk/2/hi/technology/7784908.stm
| >
| > Serious security flaw found in IE
| >
| > Users of Microsoft's Internet Explorer are being urged by experts
to
| > switch to a rival until a serious security flaw has been fixed.
| >
| > The flaw in Microsoft's Internet Explorer could allow criminals to
take
| > control of people's computers and steal their passwords, internet
experts
| > say.
| >
| > Microsoft urged people to be vigilant while it investigated and
prepared
| > an emergency patch to resolve it.
| >
| > Internet Explorer is used by the vast majority of the world's
computer
| > users.
| >
| >
| > "Microsoft is continuing its investigation of public reports of
attacks
| > against a new vulnerability in Internet Explorer," said the firm
in a
| > security advisory alert about the flaw.
| >
| > Microsoft says it has detected attacks against IE 7.0 but said the
| > "underlying vulnerability" was present in all versions of the
browser.
| >
| > Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
| > to the flaw Microsoft has identified.
| >
| > Browser bait
| >
| > "In this case, hackers found the hole before Microsoft did," said
Rick
| > Ferguson, senior security advisor at Trend Micro. "This is never a
good
| > thing."
| >
| > As many as 10,000 websites have been compromised since the
vulnerability
| > was discovered, he said.
| >
| > "What we've seen from the exploit so far is it stealing game
passwords,
| > but it's inevitable that it will be adapted by criminals," he
said.
"It's
| > just a question of modifying the payload the trojan installs."
| >
| >
| > Said Mr Ferguson: "If users can find an alternative browser, then
that's
| > good mitigation against the threat."
| >
| > But Microsoft counselled against taking such action.
| >
| > "I cannot recommend people switch due to this one flaw," said John
Curran,
| > head of Microsoft UK's Windows group.
| >
| > He added: "We're trying to get this resolved as soon as possible.
| >
| > "At present, this exploit only seems to affect 0.02% of internet
sites,"
| > said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
| > IE7 users at the moment, but could well encompass other versions
in
time."
| >
| > Richard Cox, chief information officer of anti-spam body The
Spamhaus
| > Project and an expert on privacy and cyber security, echoed Trend
Micro's
| > warning.
| >
| > "It won't be long before someone reverse engineers this exploit
for more
| > fraudulent purposes. Trend Mico's advice [of switching to an
alternative
| > web browser] is very sensible," he said.
| >
| > PC Pro magazine's security editor, Darien Graham-Smith, said that
there
| > was a virtual arms race going on, with hackers always on the look
out
for
| > new vulnerabilities.
| >
| > "The message needs to get out that this malicious code can be
planted on
| > any web site, so simple careful browsing isn't enough."
| >
| > "It's a shame Microsoft have not been able to fix this more
quickly, but
| > letting people know about this flaw was the right thing to do. If
you
keep
| > flaws like this quiet, people are put at risk without knowing it."
| >
| > "Every browser is susceptible to vulnerabilities from time to
time. It's
| > fine to say 'don't use Internet Explorer' for now, but other
browsers
may
| > well find themselves in a similar situation," he added.
| >
| >
| >
|
|

 

[Bill Sanderson]

They all seem to be still there when I looked at the document. I would
definitely advise reversing the workarounds. I did so on the only machine
I've discovered that had one in place, and it worked--i.e. the symptom was a
permissions error when hitting SEND on a message generated in Outlook Web
Access. After reversing the workaround that SANS mentions creates that
symptom, Outlook Web Access worked normally.

--