The Shields Are Damaged

“Microsoft confirmed Thursday that the createTextRange security flaw in Internet Explorer will be among those addressed in its monthly patch rollout April 11. In all, the company said on its TechNet site, customers can expect five updates for Microsoft Windows and Microsoft Office — at least one of them critical.”

The createTextRange vulnerability has been publicly known since March 22, 2006 (See the original advisory here). Exploits have been publicly available since March 23, 2006, such as this one posted to milw0rm shortly after the vulnerability was publicly announced. On March 27, 2006 SANS ISC reported that there were over 200 sites using this vulnerability and associated exploits to install malware and create botnets (See posting here). Seems to me that monthly patching should be more frequent because this doesn’t even take into account the people who had an exploit before all this went public.
There is still yet to be a patch released by Microsoft and the only workaround for IE users is to disable active scripting, which by the way breaks some web sites functionality (which is ironic because Active scripting (ActiveX) is why most people are forced to use IE). Here’s a tip, use Firefox. Of course then come the arguments such as how to control Firefox with group policy, or what to do with applications that only work with IE. Check out the WetDog project for group policy control over Firefox. If you have applications that require IE consider creating a shortcut that uses IE to access that application and let users do what they do best, click. Most organizations do not do this because they do not believe that IE vulnerabilities are a problem:

But now, she said, borrowing a phrase from the Star Trek universe, “the shields are holding.”

How is this measured? It is not like the days when worms were running loose destroying your networks. Times are different, malware (including spyware) and botnets are sneaky. They don’t want to be caught, its bad for business. They want to go undetected to fill your screen with pop-ups, turn your PC into a SPAM zombie, or quietly wait for the next command. Let me ask this question to our readers and listeners:
If a Windows box gets rooted with IE exploit on the Internet, will anybody notice?

Full Article

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.