Hey it's only been nine months…
By Robert Lemos
Published: 5 July 2004 08:35 GMT
Microsoft has released a work-around for an Internet Explorer vulnerability that has left Windows users open to attacks for almost nine months.
The flaw, in an ActiveX scripting component, gained notoriety last month when it became the mechanism used by a network of compromised websites to install a malicious program on victims' computers. Microsoft has decided to plug the hole by turning off the ability for the ActiveX component to write to the operating system.
The software giant published the work-around on its website and directed customers to use its Windows update service to download the patch.
Though Microsoft intends the change to become a standard configuration for Windows, the software giant is working on a more comprehensive solution, said Stephen Toulouse, security program manager for Microsoft's security response centre.
"It is a permanent change, but it is an interim step - we are still in the middle of our investigation," he said. "We have taken a look at the functionality in the product and seen that that functionality is really being used by attackers."
The change fixes a problem that allowed several compromised websites to infect visitors' PCs with a Trojan horse program, known as Download.Ject or JS.Scob.Trojan. The program would record the keystrokes and send them to an overseas email address. That Internet Explorer security issue and several others lead some security experts to suggest that users should consider alternative browsers.
Microsoft's configuration change blocks the ability of the ADODB.screen ActiveX component to write to the PC's hard drive. ActiveX, which adds interactivity to websites viewed with Internet Explorer, has long been thought to have security issues.
This particular vulnerability has been known about for more than 9 months, said David Endler, director of incident response for security company Tipping Point.
"Though written configuration hardening instructions have been available online for a while, it's nice to finally see this particular security tweak in Internet Explorer distributed to the masses, even if it's long overdue," he said.
Microsoft continues to study this issue and expects to release a more comprehensive patch. Moreover, the company is readying a major security update for Windows XP, known as Service Pack 2, which should be out later this summer.
Robert Lemos writes for CNET News.com
Cable and patch management. To provide the initial response (1st/2nd Line Incident Management) to fault reporting for the company. Updating staff as ...
A project accountant is required by a Housing organisation based in the East Midland to lead on the new component accounting initiative, the project ...
DCA is dedicated team for Patch installation management, HealthChecks, Vulnerability scans, Antivirus administration and Service Activation and ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Is Your Enterprise Architected for Tomorrow's Growth?
Improving IT service delivery through an integrated approach to software asset management...
TechRepublic Resource Guide: Software as a Service (SaaS) for Small and Midsize Businesses...
Download a Free Trial of SmartDraw: Learn why SmartDraw is the ideal alternative...
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy