Guest thecableguy Posted March 28, 2006 CID Share Posted March 28, 2006 A couple of computer-security companies have separately released free patches to plug a critical security flaw in Microsoft's Internet Explorer browser that hacker groups have been exploiting to steal passwords from Windows users. The third-party fixes from Aliso Viejo, Calif.-based eEye Digital Security and Determina of Redwood City, Calif., came after Microsoft said it did not plan to issue its own update until April 11, the next date in its regular monthly security-update cycle. Meanwhile, security experts have identified at least 200 Web sites that are being used to install password-stealing malware on Windows PCs when users merely visit one of the sites with IE. This scenario is shaping up in a familiar way. During the final days of 2005, hackers released code that could be used to break into Windows computers whose users visited certain Web sites or opened image files infected with the code. After thousands of Web sites began using the code to install spyware and other unwanted crud, independent security researcher Ilfak Guilfanov on Jan. 1 released a free patch to fix the problem. Amid growing criticism for saying it would wait another nine days to issue its own update, Microsoft accelerated its patch process and pushed out a fix by Jan. 5. Microsoft says its engineers worked through the weekend on a patch for the current flaw, and that the company may issue an update before April 11 "if warranted" and "as soon as it's ready" (that is, tested to Redmond's satisfaction that it does not break or interfere with other Windows components or third-party applications.) I haven't spoken yet with anyone who has fully vetted either of these unofficial patches, so I can't really recommend that anyone install them at this time. Johannes Ullrich, chief research officer at the SANS Internet Storm Center, said SANS also can't vouch for either patch. But Ullrich said he's briefly examined the eEye fix and found that it should work, although he added that it's difficult to tell whether it will play nice with the final update issued by Microsoft. My gut tells me Microsoft won't wait until April 11 to release its update, as we will likely see even more Web sites being hacked or created by attackers to host malicious code that leverages the IE flaw to install badware. By Brian Krebs | March 28, 2006; 10:03 AM ET Washington Post Links to patches: http://www.eeye.com/html/research/alerts/AL20060324.html http://www.determina.com/security_center/security_advisories/securityadvisory_march272006_1.asp Quote Link to comment Share on other sites More sharing options...
CA3LE Posted March 28, 2006 CID Share Posted March 28, 2006 http://www.testmy.net/articles/article-527 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.