The most recent of a spate of Internet Explorer crash and burns is drawing the user reaction, “So, what else is new?”
“At what point do we need to shift the focus here and start posting Slashdot stories when they find some code in IE that actually works?” This post, by D-Cypell, was the first of many exasperated posts on Slashdot following Tuesdays advisory that four new IE security holes had been found by Danish security firm Secunia.
The holes, once again found in the notorious Active scripting functionality of Microsofts popular browser, could allow arbitrary code to be executed and content to be placed over other windows on users systems.
The holes opened up fast on the heels of Microsoft issuing seven security bulletins on the same day—two of them deemed “critical”—for various Windows versions and associated products.
Some users questioned how Microsoft, with its massive development group, billions in cash and its 2.5-year-old Trustworthy Computing initiative, could still manage to get hit so hard and so often.
The answer, they posited, could be that IE is just too closely tied to the OS. “Security always seems to take a back seat to features with [Microsoft], and that is the core problem with IE,” walt-sjc posted on Slashdot. “Being integrated to the level it is in the OS means that it drags the security (or lack thereof) of the entire system down with it.”
“Taking the software that is responsible for interfacing with the OS and making it your default tool for interacting with the outside world was just plain stupid,” posted another user with the handle of gunnk. “[Its] a marketing/legal department move to skirt the ruling that they couldnt bundle IE with Windows. Once done, however, almost any problem with IE becomes a root exploit.
“Surfing with IE makes this problem go from some risk to extreme risk,” gunnk continued. “The only way to avoid this kind of escalation is to separate Web browser from OS interface: something MS doesnt want to do since then they are back to the bundling problem.”
As for what to do about the vulnerabilities, experts had predictable advice: Fix it. Now.
Graham Cluley, a senior technology consultant for antivirus company Sophos Inc., warned that anything labeled “critical” coming out of Microsoft should be dealt with quickly and decisively, given that viruses—think SoBig—have followed fast on the heels of patches in the past.
Aaron Newman, chief technology officer for the New York security firm Application Security Inc., agreed, pointing out that patch-virus release schedules have been rapidly shrinking, so theres no time to lose. “If you go back to the days of the Slammer worm, that took six months between patch [release] and when the worm hit,” he said. “That cycle has gotten a lot tighter. With SoBig and some others, its usually about two weeks before somebody starts exploiting it in the wild.”
Viruses are coming faster, and for virus writers, IE is now “the sexy place to be,” Newman said. “The resources of the hackers are becoming faster,” Newman noted. “The release times are getting faster. This new avenue of attack, where people are no longer looking at exploiting the Web server bur rather the people who come to the Web servers, its another mode of attack.”
Theres been plenty of talk regarding the booming popularity of alternatives to IE—such as Mozillas Firefox browser—in the wake of IEs recent security woes. But Sophos Cluley thinks that even this most recent rash wont seriously dent IEs market grip. “The vast majority of people are using IE,” said Cluley, in Oxford, England. “[Mozilla] is just one drop in the ocean. We expect for a long time to come for people to continue using IE.”
Besides, he pointed out, Mozilla recently had its own security problems.
In separate news, antivirus company F-Secure Corp. proved that when it rains security problems, it pours. The Helsinki, Finland, company on Monday reported a new mass-mailer worm called Atak that plops itself into a file and then deploys a host of anti-debugging tricks to throw antivirus sniffers off the track as it churns out spam.
Cluley described Atak, which hides in a file called HINT.EXE in /WINDOWS/SYSTEM32 directory, as a minimal irritation. “Its not spreading. Its not a big deal. Weve received no reports from our honeypots around the world,” he said.
Atak has the ability to determine whether its code is being stepped through by a debugger program. If it is, Atak quits operations. This self-defensive hibernation technique is nothing new, Cluley said, and merely slows down initial detection by antivirus laboratories such as Sophos.
“Antivirus [programs] wont have any more difficulty [dealing with] this virus than any of the other viruses around,” he said. “It makes it harder for us in our laboratories to analyze it, but once we have,” antivirus programs will nail it just like any of the other 30 to 40 new viruses that sprout up every day, he said.
Although it boasts no new techniques, Atak gained media attention likely because it carries text that implies that the program will attack other viruses, including Netsky, Bagle, Mydoom, Lovgate, Nachi and Blaster.