IE Hole Exposed, MS Not Patching

Microsoft's (Nasdaq: MSFT) new monthly-patching policy is getting put to the test as several vulnerabilities, such as another Internet Explorer hole disclosed this week, present attackers with opportunity.

The latest IE hole -- announced by Secunia, the same Danish security company that disclosed a separate, critical hole in Internet Explorer late last month -- could be exploited and used to spoof a Web site by displaying a fake URL in the address bar, according to Secunia.

Microsoft, which said Secunia's last disclosure was not responsible, meanwhile is skipping the December cumulative patch, which was due as part of the Redmond, Washington-based company's new monthly patching schedule. The company has indicated it is reluctant to release a December patch that might not be ready and will instead hold off until the January patch, scheduled for January 13th. The last cumulative patch for Internet Explorer was released November 11th.

While Microsoft has said it will preempt its monthly patching schedule if a situation dictates, iDefense malicious code intelligence manager Ken Dunham said there are nearly 20 vulnerabilities being discussed by both security experts and attackers.

"There is definitely exploit code available for some of the new vulnerabilities that we have heard about," Dunham told TechNewsWorld. "There are also unconfirmed reports of attacks against unpatched machines."

Link Liability

Secunia, which last month reported a separate set of IE holes that would allow attackers to redirect user browsers and take control of systems, said the latest "input validation error" in IE could be exploited to trick users into divulging sensitive information or unknowingly downloading and executing malicious code.

Forrester research director Michael Rasmussen said attackers will take advantage of whatever they can to fool users into doing something they should not. However, he pointed out that sophisticated, hard-to-spot spoofs also might trick users who think they are doing what they should be doing.

Rasmussen said the danger of disclosing information or downloading malicious code is somewhat mitigated by corporate content filters and other interception, but he added that companies are still 75 percent exposed to the fake site foibles.

Hanging in the Wind

In a statement to TechNewsWorld, Microsoft said it is investigating Secunia's reports of possible vulnerabilities. The company said at the time that it had not been made aware of any active exploits of the reported vulnerabilities.

Although Dunham stressed that reports of attacks leveraging the latest, unpatched vulnerabilities are unconfirmed, he nevertheless said Microsoft's monthly patching leaves people "hanging in the wind."

"We know there are a significant number of vulnerabilities that could potentially be patched," he said. "The time until they are could allow attackers to develop exploit code."

Dunham -- who said Microsoft likely thoroughly weighed the pros and cons of its monthly patching -- added that many attacks launched against home and corporate computers exploit old vulnerabilities for which patches are available but have not been applied.

Plan and Integrate

Despite concerns about the time lag between disclosure, discussion and exploitation of vulnerabilities and the availability of a patch, Forrester's Rasmussen said most companies are happy with Microsoft's new monthly schedule.

"It creates a little more exposure, but we can't eliminate exposure, unfortunately," he said. "Having something released once a month so [organizations] can integrate it into a maintenance schedule is wonderful; it's a great thing because they can plan and integrate."

Rasmussen, who said companies could not keep up with the previous weekly issuance of patches anyway, conceded the new schedule could leave Microsoft and users exposed, but said the software company likely would respond quickly to a large-scale attack.

"It's a risk they've got to take. They're still going to be able to break the cycle and get a fix out there in the case of a Slammer," Rasmussen added, referring to the damaging worm.

Indeed, Microsoft security program manager Stephen Toulouse told TechNewsWorld that the company "will take the appropriate action to protect our customers, which may include providing a fix through our monthly patch release process or an out-of-cycle patch, depending on customer needs."