They do indeed. Although it is appropriate to blame the folks who hack
legitimate sites and install malware, clearly the admins of those
legitimate
sites have not been doing all they could have.
(and so I say, as an admin of half a dozen such sites. It's a balancing
act--I know very little about web authoring, MySQL, or the various
packages
that various developers have used over time to develop the sites I have
overall charge of. I try to stay on top of security issues, and I do
discuss the specific issue of SQL injection attacks with our developers
just
to see how they respond. This stuff is not cut and dried--there isn't
any
simple testing tool that can tell you whether or not your site is safe,
as
far as I can tell--it is a question of the skills of your staff. )
Let us not forget the `good` web site devlopers have a certain
responsibility
here.
Stu
:
I managed to not broadcast this issue to the users I support--but
several
people either asked about it or sent me information about the issue to
make
sure I knew about it.
I wasn't yet ready to put into effect the work-arounds Microsoft has
supplied, given my understanding of the extent of the risk--and I see
no
point in creating fear and doubt without a clear set of actions to
prescribe.
I did write everyone this morning asking that they apply today's patch
as
soon as it is convenient for them, and I'll be doing that manually on
systems I can reach when it is available.
This was a close call--the code to exploit the vulnerability was
publicly
available since December 10th--meaning that anyone could pick it up
and
make
use of it. Fortunately, it required that you visit a web site to be
infected--it isn't something that can directly infect from an email
message.
There were some innocent sites that were hacked to distribute this
malicious
code--which is a good part of where the real risk lies for users who
don't
frequent porn sites.
I doubt that my users were making use of the features of Internet
Explorer
that would be disabled by the simpler work-arounds for this exploit,
but
I'm
not certain of that, and did't want to have to fix this twice--once
via a
work-around and then need to reverse that and install the final patch.
I'm glad they were able to produce a patch quickly.
--
Panic over Bill? You know, maybe I`m too laid back with these
security
issues. I can never understand why there is this tendency for a
`knee
jerk`
reaction with associated buzz on these NGs - like bees which have
just
been
awoken from their hives. Everything buzzing around (deliberating and
speculating) while someone works quietly in the background resolving
the
issue. Perhaps there are times when ignorance is bliss ;
)
Stu
:
A patch for this will be issued tomorrow, as others in this thead
have
noted
(oops--today!)
I'd advise installing this patch.
That's what I plan to do.
--
Here's a News Article carried today by the BBC at
http://news.bbc.co.uk/2/hi/technology/7784908.stm
Serious security flaw found in IE
Users of Microsoft's Internet Explorer are being urged by experts
to
switch to a rival until a serious security flaw has been fixed.
The flaw in Microsoft's Internet Explorer could allow criminals
to
take
control of people's computers and steal their passwords, internet
experts
say.
Microsoft urged people to be vigilant while it investigated and
prepared
an emergency patch to resolve it.
Internet Explorer is used by the vast majority of the world's
computer
users.
"Microsoft is continuing its investigation of public reports of
attacks
against a new vulnerability in Internet Explorer," said the firm
in
a
security advisory alert about the flaw.
Microsoft says it has detected attacks against IE 7.0 but said
the
"underlying vulnerability" was present in all versions of the
browser.
Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable
to the flaw Microsoft has identified.
Browser bait
"In this case, hackers found the hole before Microsoft did," said
Rick
Ferguson, senior security advisor at Trend Micro. "This is never
a
good
thing."
As many as 10,000 websites have been compromised since the
vulnerability
was discovered, he said.
"What we've seen from the exploit so far is it stealing game
passwords,
but it's inevitable that it will be adapted by criminals," he
said.
"It's
just a question of modifying the payload the trojan installs."
Said Mr Ferguson: "If users can find an alternative browser, then
that's
good mitigation against the threat."
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said
John
Curran,
head of Microsoft UK's Windows group.
He added: "We're trying to get this resolved as soon as possible.
"At present, this exploit only seems to affect 0.02% of internet
sites,"
said Mr Curran. "In terms of vulnerability, it only seems to be
affecting
IE7 users at the moment, but could well encompass other versions
in
time."
Richard Cox, chief information officer of anti-spam body The
Spamhaus
Project and an expert on privacy and cyber security, echoed Trend
Micro's
warning.
"It won't be long before someone reverse engineers this exploit
for
more
fraudulent purposes. Trend Mico's advice [of switching to an
alternative
web browser] is very sensible," he said.
PC Pro magazine's security editor, Darien Graham-Smith, said that
there
was a virtual arms race going on, with hackers always on the look
out
for
new vulnerabilities.
"The message needs to get out that this malicious code can be
planted
on
any web site, so simple careful browsing isn't enough."
"It's a shame Microsoft have not been able to fix this more
quickly,
but
letting people know about this flaw was the right thing to do. If
you
keep
flaws like this quiet, people are put at risk without knowing
it."
"Every browser is susceptible to vulnerabilities from time to
time.
It's
fine to say 'don't use Internet Explorer' for now, but other
browsers
may
well find themselves in a similar situation," he added.
