Microsoft releases changes to block IE exploitation
- By William Jackson
- Jul 02, 2004
Microsoft Corp. is releasing configuration changes for its Windows operating systems that will help guard against recent attacks against its Web browser.
'On July 2 Microsoft released a configuration change to the Windows XP, Windows Server 2003 and Windows 2000 operating systems that improves system resiliency to protect against the Download.Ject attacks,' the company said in a statement today.
Download.Ject is malicious code that targeted Internet Explorer browsers when they visited compromised Websites running flawed versions of Microsoft's Internet Information Services server.
The details of the attack and the identities of the compromised sites have not been released, but IE infections date to at least June 20 and reportedly were first discovered June 23 in a federal agency.
Microsoft claims that the Russian Web server identified as the source of the attack has been shut down.
The IE problem is not a bug in the software but a feature that can be exploited by attackers if activated.
'Adodb.stream provides a method for reading and writing files on a hard drive,' according to Microsoft. 'This by-design functionality is sometimes used by web applications. However, when combined with known security vulnerabilities in Microsoft Internet Explorer, it could allow an Internet web site to execute script from the Local Machine Zone (LMZ).'
In this case the malicious code directed the browser to contact the Russian server, where additional code would be downloaded.
Instructions for turning off the feature have been available, but many users have not made the manual fix.
'Even though written instructions were available on how to reconfigure Internet Explorer, the accessibility of online computing has dramatically outpaced the level of technical understanding that many home users would need,' said David Endler, director of Digital Vaccine for TippingPoint Technologies Inc. of Austin, Texas. 'It is nice to see this particular security tweak distributed to the masses, even if it is long overdue.'
The configuration changes are available on Microsoft's Download Center
and were expected to be available by the end of the day on Windows Update
Microsoft said it is working on a comprehensive series of IE security updates expected to be available in coming weeks. The company expects to release Windows XP Service Pack 2 this summer, which will include network, Web browsing and e-mail security features.
Endler called SP 2 'a great step toward proactively protecting users against threats such as these without requiring much fine tuning of configuration settings.'
William Jackson is a Maryland-based freelance writer.