Bugs and Fixes: Plug Critical Holes in IE and Office

It's happened again. Crackers recently began exploiting a newly revealed major security bug in Internet Explorer before Microsoft could issue a patch. These so-called zero-day exploits--where less than a day passes between the revelation of a vulnerability and attacks against it--are becoming more frequent. And that's bad news for us all. Security research firm Secunia found this hole, which affects virtually all versions of IE, from 5.01 through 6 Service Pack 2. Beta previews of IE 7 that predate March 20, 2006 (build 5335.5 or later) are vulnerable as well.

Though attacks exploiting this breach have been sporadic so far, make sure to get the fix. The flaw opens the door to the dangerous drive-by download attack, where just visiting a malicious Web site can pull viruses and spyware onto your computer--no click required. Simply viewing a corrupt banner ad on a page could trigger the attack routine as well. Here's how the bug works: A booby-trapped site or image sends your system a poisoned "CreateTextRange" JavaScript command that scrambles IE's idea of what's supposed to be where, leaving IE (and Windows) flummoxed. A split second later, the cybervulture's attack program swoops in to carry out whatever nefarious activities the attacker has devised. No matter what the specifics, you'll be the loser.

A bit of good news: Just previewing an Outlook e-mail message containing a link to a malicious site won't trigger the exploit. But the usual warning applies: Never click a link in any message that's even slightly suspicious. Microsoft will distribute a patch via Windows Update by the time you read this. In the meantime, the company's suggested (if draconian) workaround is to disable or prompt for all JavaScript. JavaScript is a type of programming found in many different Web pages, and disabling it means a lot of sites will display incorrectly or may keep you from logging in. To implement the workaround in IE, click Tools, Internet Options, and select the Security tab. Click Internet, Custom Level. Under Settings, in the Scripting section, scroll down to Active Scripting, click either Prompt or Disable, and then click OK.

Two security companies have released their own temporary workaround patches, but analysts recommend using either Microsoft's workaround or an alternate browser such as Firefox or Opera. Microsoft also warns against using third-party patches.

For additional details, see Microsoft's advisory. When it is ready, the patch will be at Microsoft Security Bulletin MS06-013. Of course, all of these problems will be solved by this time next year when Microsoft releases Windows Vista. Right?

1 2 3 Page 1
Page 1 of 3
  
Shop Tech Products at Amazon