Faulty Patch Leaves IE Open to Attack | eWeek

Faulty Patch Leaves IE Open to Attack

Verfasst von
Dennis Fisher
Dennis Fisher
Oct 2, 2003
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

An incomplete patch has opened the door to the widespread exploitation of a vulnerability in Internet Explorer, and security experts say that there are at least four different methods being used by attackers to compromise vulnerable PCs.

Most recently, experts identified a new Trojan, known as Qhost-1, that has been discovered on a number of machines. However, the intent and possible uses of the program are somewhat unclear at this point. Qhost appears to change some of the DNS settings on infected machines and adds a couple of entries to the registry, but doesnt seem to take any other immediate actions.

What is clear, however, is that the patch issued by Microsoft Corp. in August to fix a pair of flaws in IE does not completely solve the problem.

“Theres been a lot of confusion about the patch. It only addresses part of the issue within the vulnerability so its open to other attacks,” said Ken Dunham, malicious code intelligence manager at iDefense Inc., based in Reston, Va. “Theres no protection against it. This is a massive problem.”

The vulnerability itself is related to the way that IE handles HTML application files embedded in object tags. In order to exploit the weakness, an attacker would need only to entice a user to open a malicious e-mail or visit a Web site, where a Trojan or other malicious code could be automatically installed on the users PC.

Of the three ways that a problematic HTML page needed to exploit this vulnerability can be created, the patch only prevents one from working, according to officials at the CERT Coordination Center in Pittsburgh. Several workarounds have been suggested, including disabling ActiveX controls in IE. Although, there are some reports that even this is not completely effective.

“A fully patched IE system is vulnerable to this,” said Art Manion, Internet security analyst at CERT. Manion said that editing the registry to delete a key related to the problem seems to be the most effective method of preventing exploitation, he said. The key that needs to be renamed or deleted is: HKEY_LOCAL_MACHINESOFTWAREClassesMIMEDatabaseContent Typeapplication/hta.

In addition to the Qhost Trojan, Manion has seen another Trojan that exploits this vulnerability to steal users AOL Instant Messenger passwords. There is also an exploit that installs a dialing program that calls out to an overseas toll number, and a fourth tool that installs an old back door program.

IE is the only browser vulnerable to this specific exploit, so users could also avoid infection by switching to an alternate browser, such as Netscape Navigator or Opera.

“If we dont see a [revised] patch come out soon, youll definitely see people migrating to alternate browser,” said Dunham. “If youre not worried, you should be.”

Discuss this in the eWEEK forum.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.