Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Jaded Users Roll Their Eyes at IEs Latest Security Debacle

    By
    Lisa Vaas
    -
    July 14, 2004
    Share
    Facebook
    Twitter
    Linkedin

      The most recent of a spate of Internet Explorer crash and burns is drawing the user reaction, “So, what else is new?”

      “At what point do we need to shift the focus here and start posting Slashdot stories when they find some code in IE that actually works?” This post, by D-Cypell, was the first of many exasperated posts on Slashdot following Tuesdays advisory that four new IE security holes had been found by Danish security firm Secunia.

      The holes, once again found in the notorious Active scripting functionality of Microsofts popular browser, could allow arbitrary code to be executed and content to be placed over other windows on users systems.

      The holes opened up fast on the heels of Microsoft issuing seven security bulletins on the same day—two of them deemed “critical”—for various Windows versions and associated products.

      Some users questioned how Microsoft, with its massive development group, billions in cash and its 2.5-year-old Trustworthy Computing initiative, could still manage to get hit so hard and so often.

      The answer, they posited, could be that IE is just too closely tied to the OS. “Security always seems to take a back seat to features with [Microsoft], and that is the core problem with IE,” walt-sjc posted on Slashdot. “Being integrated to the level it is in the OS means that it drags the security (or lack thereof) of the entire system down with it.”

      /zimages/6/28571.gifFor a look at the progress made by Microsofts Trustworthy Computing initiative, check out this interview with the companys chief security strategist.

      “Taking the software that is responsible for interfacing with the OS and making it your default tool for interacting with the outside world was just plain stupid,” posted another user with the handle of gunnk. “[Its] a marketing/legal department move to skirt the ruling that they couldnt bundle IE with Windows. Once done, however, almost any problem with IE becomes a root exploit.

      “Surfing with IE makes this problem go from some risk to extreme risk,” gunnk continued. “The only way to avoid this kind of escalation is to separate Web browser from OS interface: something MS doesnt want to do since then they are back to the bundling problem.”

      As for what to do about the vulnerabilities, experts had predictable advice: Fix it. Now.

      Graham Cluley, a senior technology consultant for antivirus company Sophos Inc., warned that anything labeled “critical” coming out of Microsoft should be dealt with quickly and decisively, given that viruses—think SoBig—have followed fast on the heels of patches in the past.

      Aaron Newman, chief technology officer for the New York security firm Application Security Inc., agreed, pointing out that patch-virus release schedules have been rapidly shrinking, so theres no time to lose. “If you go back to the days of the Slammer worm, that took six months between patch [release] and when the worm hit,” he said. “That cycle has gotten a lot tighter. With SoBig and some others, its usually about two weeks before somebody starts exploiting it in the wild.”

      Viruses are coming faster, and for virus writers, IE is now “the sexy place to be,” Newman said. “The resources of the hackers are becoming faster,” Newman noted. “The release times are getting faster. This new avenue of attack, where people are no longer looking at exploiting the Web server bur rather the people who come to the Web servers, its another mode of attack.”

      Theres been plenty of talk regarding the booming popularity of alternatives to IE—such as Mozillas Firefox browser—in the wake of IEs recent security woes. But Sophos Cluley thinks that even this most recent rash wont seriously dent IEs market grip. “The vast majority of people are using IE,” said Cluley, in Oxford, England. “[Mozilla] is just one drop in the ocean. We expect for a long time to come for people to continue using IE.”

      Besides, he pointed out, Mozilla recently had its own security problems.

      /zimages/6/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      In separate news, antivirus company F-Secure Corp. proved that when it rains security problems, it pours. The Helsinki, Finland, company on Monday reported a new mass-mailer worm called Atak that plops itself into a file and then deploys a host of anti-debugging tricks to throw antivirus sniffers off the track as it churns out spam.

      Cluley described Atak, which hides in a file called HINT.EXE in /WINDOWS/SYSTEM32 directory, as a minimal irritation. “Its not spreading. Its not a big deal. Weve received no reports from our honeypots around the world,” he said.

      Atak has the ability to determine whether its code is being stepped through by a debugger program. If it is, Atak quits operations. This self-defensive hibernation technique is nothing new, Cluley said, and merely slows down initial detection by antivirus laboratories such as Sophos.

      “Antivirus [programs] wont have any more difficulty [dealing with] this virus than any of the other viruses around,” he said. “It makes it harder for us in our laboratories to analyze it, but once we have,” antivirus programs will nail it just like any of the other 30 to 40 new viruses that sprout up every day, he said.

      Although it boasts no new techniques, Atak gained media attention likely because it carries text that implies that the program will attack other viruses, including Netsky, Bagle, Mydoom, Lovgate, Nachi and Blaster.

      /zimages/6/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

      /zimages/6/77042.gif

      Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Careers

      SThree’s Sunny Ackerman on Tech Hiring Trends

      James Maguire - June 9, 2022 0
      I spoke with Sunny Ackerman, President/Americas for tech recruiter SThree, about the tight labor market in the tech sector, and much needed efforts to...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×