Critical IE Flaws Add to Windows Headache

The dog days of summer have certainly arrived for Microsoft. In the month of August alone, the company’s security personnel have had to contend with nearly half a dozen major worms, including MSBlast (aka LovSan and Blaster), two variants of SoBig (SoBig.E and this week’s SoBig.F, which may be the fastest-spreading worm of all time) and Nachi/Welchia, a so-called “good” worm that nevertheless is creating headaches for IT departments.

Late Wednesday, Microsoft released another security bulletin, this time for several vulnerabilities that affect its ubiquitous Internet Explorer Web browser and related e-mail and news applications, such as Outlook and Outlook Express, which use IE as their underlying display mechanism.

Microsoft rated the new vulnerabilities as “critical” for IE versions 5.01 to 6.0 and recommended that users install a cumulative patch, which also covers earlier IE issues, as soon as possible to ward off future exploits.

Disaster Unlikely

The newly revealed IE vulnerabilities provide hackers with front-end capabilities to load malicious code onto a victim’s PC, Yankee Group analyst Matthew Kovar told the E-Commerce Times.

By setting up and then enticing users to visit what Microsoft described as a “malicious Web site,” an attacker potentially could run an executable file already present on the infected computer or gain access to the compromised machine’s files.

However, Guardent information security officer Charles Kaplan said he doubts the latest IE flaws will cause the sort of havoc that SoBig.F and other worms have wreaked.

“The good news about the Internet Explorer [flaw] is that unlike Blaster and these other worms, your machine passively sitting there turned onto the Internet does not automatically become susceptible to attack. That’s why servers in general are a lot less vulnerable,” Kaplan told the E-Commerce Times. “You have to browse a Web site specifically set up to compromise your system or click on an Outlook or Outlook Express attachment” for the vulnerability to be exploited.

Social Engineering Potential

Although the IE flaws theoretically are simple to fix or avoid, social engineering could help attackers use them to exploit PCs, much like SoBig has duped users by spoofing the address of a known sender.

“If something is free or interesting, people will click on it,” Kaplan said. “If SoBig’s author had known about this when [he or she] was designing it, computers would be in a much more serious way.”

Michael Rasmussen, senior industry analyst for enterprise security at Forrester, told the E-Commerce Times that Microsoft has been doing a good job of responding to the recent flood of security breaches. He said he expects the incidence of exploits to abate somewhat as a result.

For his part, Kaplan noted that the vulnerabilities themselves follow no real pattern, so it seems somewhat odd that they all surfaced in quick succession.

“It’s a little bit random, [as if] all the miscreants got together and said, ‘Let’s really pound on Microsoft,'” he said.