Microsoft Issues Out-of-Cycle Explorer Patch

Two weeks before its regularly scheduled round of security updates for Windows, Microsoft (Nasdaq: MSFT) released an out-of-cycle patch for its Internet Explorer browser in response to a month-old critical hole.

The vulnerability -- an HTML handling issue referred to as an "iframe" flaw that affects mostly older versions of the Windows operating system -- is not a problem in Windows XP systems that have been updated with Microsoft's major security upgrade of this year, Service Pack 2 (SP2), the company said.

However, since first disclosed in early November, there have been a number of exploits of the vulnerability by so-called Trojan programs that give attackers control of machines and by viruses, including variants of the MyDoom worm, iDefense director of malicious code intelligence Ken Dunham told TechNewsWorld.

Up to Users

"A week after [the vulnerability was disclosed], we saw there was widespread exploitation with several variants of MyDoom," Dunham said. "This was widely exploited by worms, backdoor Trojans, and we saw careful, coordinated attacks. Obviously, this was an elevated concern that we were watching every day."

Dunham said the availability of a patch from Microsoft, which has complained about the public disclosure of the vulnerability, was needed to defend against attacks. The security expert added, however, that security depends on users.

"You have to remember, there's a huge number of people who will not patch and we do expect continued iframe exploits," Dunham said.

Attacked Before Patched

Microsoft, which advised its customers to install the update immediately, said the vulnerability in Internet Explorer could allow remote execution of code by an attacker, who could install programs; view, change or delete data; and create new accounts with full privileges.

Dunham said disclosure of the vulnerability was quickly followed by exploit code and malware, including worms and Trojans. He also indicated that much of the malicious activity based on the vulnerability was occurring "under the radar," leaving victims unaware that their computers are compromised.

"We know there's been a lot of exploitation of this vulnerability in the last few weeks," Dunham said.

Update Not Easy

Wide adoption of the latest Explorer patch might be hindered because it requires more effort than the typical Windows update. "This one's going to take a little more effort," Dunham said.

Nevertheless, Dunham praised the out-of-cycle patch from Microsoft, which normally provides security updates in a batch on the second Tuesday of each month.

Richard Stiennon, vice president of threat research at Webroot, said security gaps in browsers such as Explorer have become less of a concern with worms, but a bigger problem with spyware.

"It's perfect for spyware," Stiennon told TechNewsWorld of the iframe flaw. "It was a very critical vulnerability because it did allow the execution of arbitrary code."

Although it might appear that only a "brow beating" from the security community prompted Microsoft to offer the patch, the software giant had improved its response compared to another serious Explorer hole that took nearly six months to patch. "Four days would be better, but four weeks is a start," Stiennon said.

Browser Beating

Security experts agreed that Microsoft's Internet Explorer -- the reason for nearly all of the out-of-cycle patches released since a monthly schedule began in October 2003 -- is among the most vulnerable and targeted software today.

In addition, Explorer's tight integration into the Windows operating system and related e-mail, messaging and other programs has created more Windows vulnerabilities.

"As always planned, [Explorer] is the window to the Internet," Stiennon said. Not coincidentally, it is also "the number one problem with Microsoft products."

Stiennon credited the security of other browsers such as Firefox to diversity and built-in features such as port blocking. Stiennon added that Microsoft is not, to his knowledge, working to add security features or to revamped Explorer.