They publish their findings at microsoft.com/security.

If you find a new exploit, or know of some security problem on one of our products, please send email to secure@microsoft.com.

Already this page has been updated a few times in the past 24 hours. If you think you have a security problem with a Microsoft product, please check the security site.

If you just want to make sure you are protected, then visit microsoft.com/protect.

LazyCoder wrote:

While those diligent, hard working folks work overtime on the patch., some of us surf on...


The patch people DO have the crappiest job at Microsoft, ok except for maybe anyone with an officemate who runs at lunch now that the towels are BYOT, and probably get the least amount of love   It's probably worse for the IE team than for any other team. At least the Server team can say "they should upgrade to Server 2003". What can the IE team say? "Help!"

phunky_avocado wrote:

Give it a rest already!  Go back to Slashdot.  Sheesh, what with 4 threads on how crappy IE is (or are there more threads now?) and how Blessed-By-God Firefox (or whatever it is) is...

Charles wrote:

LazyCoder,

Keep in mind that IE, as the most used web browser in the world, will necessarily attract the most bad guys trying to find holes in it to use as means to do bad things to people surfing the web. When Gecko-based browsers increase significantly in usership, you will see an increase in security vulnerabilities in those browsers. Why? Well, if I am a hacker, then I want to hack as many people as possible with a single attack vector... 

ZippyV wrote:

How long does Microsoft now already about these bugs?

On Sunday 6/13, I sent an email to some customers, with a subject of "New Internet Explorer vulnerabilities."  I mentioned the problem with IE and said Microsoft was looking into it and that I hoped to see a Critical Update for IE within the next few days.  (Admittedly, this was my optimism.)  I also added a warning about visiting unsolicited or untrusted URLs, which I felt somewhat sheepish about providing, given the hyperlinked nature of the Internet.

I thought about starting a thread on Channel 9 at that point asking about the status of the IE security patches.  To use the Channel 9 airplane analogy, at this point I have told my customers fellow passengers, in my calmest voice, that they might be seeing what looks like smoke coming from one the engines, but it is nothing to worry about because we have very smart and capable people in the cockpit and they have the situation completely under control.  So now I'm seeking some information that this is in fact the case.

I checked Channel 9 over the next few days as well as microsoft.com/security.  Nothing.  I thought it was weird that Microsoft didn't even mention the vulnerabilities on the Security page.

Instead of starting a thread, I thought I'd just wait until someone else started one.  After all, you see a little smoke coming from the engines, probably everyone wants to push the little stewardess button flight attendant call button and point out the window.  Best just to hope they've noticed and they're taking care of it.

Days pass and the "chatter" about IE exploits starts to pick up in the industry press.  Now people are reporting plumes of flame streaking from the engine that was formerly smoking.  Someone came back from the rear lavatories and said the back of the aircraft smelled like something was burning.  Still no word from the "pilots" on Channel 9, and based on the content of microsoft.com/security, the only thing I need to worry about is a thunderstorm that passed us a couple of months ago ("Sasser").

Last Wednesday some of my customers fellow passengers had their antivirus alarms go off.  They'd been somehow infected by something called "Backdoor.Berbew.F," which does all kinds of nasty things, like turn your computer into a proxy server and (depending on who you ask) either steals cached passwords or installs a keystroke logger.  They've started to freak out.  So now I'm in that Twilight Zone episode ("Nightmare at 20,000 Feet") starring William Shatner in a bug-eyed cold sweat, grabbing my lapels and screaming, "THERE'S SOMETHING OUT ON THE WING!!!"

Of course I tried to figure out how they got infected.  Did they install some bogus software?  Download any warez from Kazaa?  Click on a link someone sent them via email?

No, it turns out that they had all merely visited the home page of a Fortune 500 company.

So I load up "Wfetch" from the IIS Resource Kit and view the HTML from this Fortune 500 company.  The server is running IIS 5.0 and sure enough, there's some interesting Javascript tacked on the end of the home page, which seems to be pulling up content from an IP address... that's located in Russia.

That's right, Fortune 500 company, home page pulls up content on obscure IP address in Russia. 

Golly, Mr. Shatner, there is something out on the wing.  And it's ripping pieces of sheet metal off the plane.  (As Mr. Spock would say, "Fascinating.")

So I check Channel 9 and there's some video about what snack foods were consumed during the creation of the .NET CLR and a poll on whether there should be any more polls.  No warm fuzzies there, so I check microsoft.com/security and I'm still getting dire warnings about... Sasser.  Hmmm.

So now I'm thinking that the view into the cockpit isn't really working for me.  The plane is going down in flames and (as I joked earlier) all I can get is a pre-recorded selection of soothing music.  Please God don't let me die while listening to Kenny G....

Of course yesterday Microsoft announced "Download.Ject," which is how that particular Fortune 500 server (and possibly others) managed to infect untold numbers of people -- it was missing a single patch.  Which was somewhat encouraging, because when you see people dropping dead of a mysterious new disease all around you, it is comforting to know that the experts (while unable to offer detection, cure, or prevention) at least know how the disease is spread.

I checked Channel 9 for fun today (Kenny G starting to grow on me!) and mirabile dictu, there's a thread at the top about the IE security vulnerabilities.  And it tells you to check microsoft.com/security.  So I load up the security page again and there's a snazzy new graphic for "Download.Ject: What you should know."  The graphic features a guy staring at his laptop, who is probably blissfully unaware that he has just been backdoored out the wazoo.  Still nothing specifically about the IE vulnerabilities, though.  Threat number two?  Good old Sasser. 

I hope I've made my point.

I have nothing the least bit bad to say about the folks who are actually working on patching IE.  I'm sure they actually are very smart, dedicated people who are working around the clock under very difficult conditions.

I do fault the communications from MS on this subject, though.  The information on Download.Ject suggests that IIS servers missing patch 835732 are "are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code."  POSSIBLY being compromised?  ATTEMPT to infect users?  Please.  This isn't a court case, and you don't have to say "alleged" perpetrator/victim until the DNA tests come back.  Servers are being hacked.  Fully patched systems running IE are being backdoored.  People need to understand this is not a theoretical threat.

There needs to be some acknowledgement from Microsoft about the problems with IE.  Right now my links on this issue come from Reuters, Forbes, News.com -- NOT Microsoft.

There needs to be some kind of regular (as in daily) update from Microsoft on an issue of this importance.  What is the point of this (besides giving your customers warm fuzzies)?  Well, let's say that a patch for IE is "almost there," but there is some problem getting it to work on 64-bit systems (as recently happened with XP SP2 RC2).  If the security team posts for three days straight that the patch will be RTM as soon as the 64-bit issues are fixed, I guarantee that you will hear from a LOT of customers saying, "Screw the five people using 64-bit systems, I need to patch IE now!!!"  I know MS coders take pride in their work and have a craftsman-like approach to their software -- it's done when it's done, and they'll get it right the first time -- but in some cases (e.g. security issues) I think they need feedback from their customers saying "It's good enough -- ship it!"

Channel 9 has given me lots of entertainment and insight into Microsoft "behind the scenes."  But I can't say I've felt that it has been all that useful.  For useful, I still turn to sites like Neowin, Bink, MSDN, and the rest of the industry press. 

Channel 9 has the potential to be so much more than an admonition to "keep watching microsoft.com/security."

My apologies for such a long rant.

rjdohnert wrote:

Hey guys the linux comment was a joke and not inteded to be taken seriously, I was just qoting what a user said on /. If I offended, my apologies.

LarryOsterman wrote:

ZippyV wrote: How long does Microsoft now already about these bugs?

As far as I know, Microsoft learned about the bugs in IE that are being exploited last week, when Jelmer announced them to Bugtraq.

[snip]

And it took Jelmer's vulnerabilities about a week.

LarryOsterman wrote:

Btw, as an example of a fix that broke something, consider what happened when the IE team fixed the username/password in an HTTP url problem.

This was a case where IE (and most other browsers) clearly were not following the HTTP standard (which explicitly stated that usernames were not allowed in HTTP urls).

When we pulled support for this because it was a security risk (and was being actively exploited for phishing schemes), we heard nothing but screams of anguish from customers who were using this feature.

I'm actually really happy that Microsoft has stood by its guns and NOT caved in to put in a variant of the problem back in.

This is a case where IE was made MORE standards compliant than its competitors and we got flack for it

When you're IE, you can't make ANY changes without being REALLY REALLY REALLY careful.

I think that Charles is right, that some kind of a "yes, we know about it, we're working on it" thing is a good idea.

But it has to be tempered by the fact that we can only do this if there's an active exploit in the wild - if there's no exploit in the wild, just the knowledge that we're working on the fix can tip the bad guys to where to start looking for the exploit.

That's why it's so important that every word published about this on official channels be carefully scrutinized.  You don't want to give the bad guys any more information than you can.

Charles wrote:

You want a 100% secure browser, 100% secure operating system, 100% secure Internet? Well, then don't connect to the Internet.

"Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk."

(from http://www.microsoft.com/security/incident/download_ject.mspx)

phunky_avocado wrote:

Point of fact:  In this thread Microsoft is getting bashed because they have not put out a patch fast enough after the exploit was released; yet, in the not-so-distant-past when it is discovered after a patch is released that Microsoft has known about the exploit that the patch fixes for a couple of months, guess what?  People scream and complain about "how could you let this thing go on for so long without letting anyone know?"!

Damned if you do, damned if you don't.

Charles wrote:

You want a 100% secure browser, 100% secure operating system, 100% secure Internet? Well, then don't connect to the Internet. That said, in the future this will not necessarily be the case as users will have become more educated and systems made more secure, but the sad fact remains: there will always be bad people out there working tirelessly to figure out ways to hurt as many people as possible, even if only in abstract or virtual ways. 

Charles 

jonathanh wrote:

"Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk."

(from http://www.microsoft.com/security/incident/download_ject.mspx)

Charles wrote: You want a 100% secure browser, 100% secure operating system, 100% secure Internet? Well, then don't connect to the Internet.

Karim wrote:

I don't understand why Microsoft hasn't even published a simple utility or .REG file that closes up the vulnerability.  (See http://www.eeye.com/html/research/alerts/AL20040610.html)

Sure, it might break .HTAs or the Help System, but you can tell people that when you offer it to them.

amg wrote:

I agree that it's mystifying as to why patchs take to long to be released...but a super compelling reason would be to avoid litigation.  Patchs that fix holes can't go around breaking other things... 

...which is why I majorly disagree with your concept of patchs being released that may cause other components to fail, but informing people of the failure.  That's not how commercial software works...not anything remotely good anyways...

pacelvi wrote:

Dude, that was John Lithgow on the plane (his movie debue). 

Though you if you want to stick with Shatner, I think Airplane II The Sequel should provide a good story.

"Microsoft teams have confirmed a report of a security issue known as Download.Ject affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows."

We confirmed this by reading all the press from AP, Reuters, the New York Times, Forbes and CNN, who had actually confirmed this last week.

"The second [issue with Internet Explorer] is a recently discovered issue that Microsoft is currently investigating in order to provide a solution."

Mostly, we are stymied because we still haven't come up with a good name for this issue yet.

"Customers who are already following our safe browsing guidance significantly reduce their risk from this type of attack."

In this particular case, "safe browsing" means not typing the URL of a well-respected Fortune 500 company in your browser.  We would direct you to the URL of our safe browsing guidelines, but doing so would actually violate our safe browsing guidelines.

"Microsoft has established with its partners that this attack is not a "worm" or virus-in other words, this attack is a targeted manual attack by individuals or entities towards a specific server."

Of course, if you happen to visit that infected server using IE, you would be instantly infected as well, along with everyone who visited the site.  But you can rest assured knowing that when the Russian Mafia starts using the credit card numbers that you've typed into your computer, it was not the result of a "worm" per se.

Also, we checked the dictionary, and turning your computer into a open proxy server so that it can be used to deliver spam or break into your corporate network -- well, that really isn't really a "virus" either.  So rest easy!

"Microsoft also has confirmed that this attack exploited a vulnerability in Internet Explorer to deliver malicious code to visitors of an affected Web site. Microsoft has been working with Internet service provider partners to shut down the malicious URLs."

Some have suggested that we also repair the vulnerability in Internet Explorer.  But we're having much more fun playing whack-a-mole shutting down malicious URLs as they pop up across the Internet.

"In addition, MSN is scanning for and blocking malicious URLs."

If you don't use MSN, though, you're kind of screwed.

"Customers using Internet Explorer should be sure that they have installed the latest security updates by visiting Windows Update at: http://windowsupdate.microsoft.com."

Not that it will help protect you from this threat, though.

"Customers running Windows XP SP2 Release Candidate 2 are already protected from this threat."

We hope the other 99.9995% of you are using MSN.

Oh, and you can ignore all those dire warnings about not installing SP2 RC2 on "production" systems.  We were only joking about that!

Karim wrote:

jonathanh wrote: "Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk." (from http://www.microsoft.com/security/incident/download_ject.mspx)

This is a perfect example of a security fix, which Microsoft thinks is not ready for public consumption (DO NOT INSTALL SP2 RC2 ON PRODUCTION SYSTEMS!!!  CAUTION, BETA SOFTWARE!!!  DANGER WILL ROBINSON!!!) but which turns out to be perfectly acceptable to most non-Microsoft people who just don't want their computers hacked.

I don't understand why Microsoft hasn't even published a simple utility or .REG file that closes up the vulnerability.  (See http://www.eeye.com/html/research/alerts/AL20040610.html)

Sure, it might break .HTAs or the Help System, but you can tell people that when you offer it to them.  More choices about how to react is almost always better than less choices, and there will be a lot of people who will choose a temporarily broken Help system over having to worry about whether each and every URL they visit is going to instantly infect their computer.

Charles wrote:

I am very happy to announce that the Microsoft Security Response Center has just updated the www.microsoft.com/downloadject web page to reflect some of the feedback they have received from this thread and other internal threads as well as some of the results of their own investigations. It's a start and will only get better going forward.

Thank you all for the outstanding feedback. Please keep it coming. We are listening.


Keep on posting,

Charles

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/hta]

I know that this unlinks the adodb.stream function (if I am saying that right) on the local machine from IE, and removes the mime type for hta, but what are the possible ramifications?

I have already done this for about 900 desktops, and no issues yet, but would like more information.

or am i just beta testing out here??

and this may have been reported elswhere, but SecFocus has news of a second vector for the recent vulnerablilty in this link

pacelvi wrote:

What idiot approved the dialog box that basically says "This web site you haven't added to your Trusted Sites is at the moment wanting to get onto your network and write and read files.  We're not going to tell you which ones.  Will you let it"?

Karim wrote:

I call this the "Sad Mac" syndrome, after the little Sad Macintosh icon that comes on whenever the Mac has one of 27 billion possible hardware problems.