Microsoft on Monday issued a critical update bulletin affecting users of its Internet Explorer (IE) Web browser. The cumulative update contains eight patches to prevent security breaches.
The notice comes nearly a week ahead of the company’s normal monthly update, planned for the second Tuesday of the month.
The flaws to be patched can allow remote code execution, in which a user clicks on a hyperlink in an e-mail that is then routed to an illegitimate server or to a hostile Web site, allowing an attacker to run code on the user’s computer.
All users of IE 5.01 and later, running on Windows NT, 2000 and XP, are urged to install the update, Microsoft said.
Too Many Updates?
In recent months, Microsoft has attempted to reduce the number of security updates it releases, instead bundling updates into larger monthly fixes. This latest patch is one of just a few breaks from that strategy so far.
As Peter Kastner, research vice president at Aberdeen Group, told the E-Commerce Times, “Microsoft walks a fine line between irritating customers with too many updates and not getting critical patches out to the people who need them in time to meet the next ‘BIG’ one.
“By sending this latest IE patch, Microsoft is tacitly admitting they’ve found problems that need to be fixed right away,” Kastner said. “The depressing aspect of all this is exactly a year after Microsoft shut down the company to root out security problems, they continue to crop up with enough frequency to concern both individual and enterprise users, according to our research.”
Is Danger the Norm?
The days of simple viruses and pranks that are a mere nuisance seem to be long gone. Malicious programs that cause widespread damage are becoming common. The current breach, known as a cross-domain security risk, potentially can force a user to be directed to a hostile site that masquerades as a legitimate Web address. The concept, known as phishing, caught the attention of The Federal Deposit Insurance Corporation (FDIC) last month when a fraudulent e-mail claiming to be from the FDIC routed people to a URL that looked legitimate, www.fdic.gov, but led to a Web server in Karachi, Pakistan.
Ken Dunham, director of malicious code at iDefense in Reston, Virginia, told the E-Commerce Times that corporations need to implement judicious measures to keep up with multiple patches. “We’ve seen widespread attacks against IE for many months now,” he said. “With thousands of lines of code, the features of IE can be easily exploited. It’s actually trivial to perform the exploit on code and increase authenticity of phishing attacks.
“It’s good to see the security updates rolled out, but in reality it requires certain changes in the corporate world, with more comprehensive security measures, making multiple patches more important,” Dunham added.
Burden and Loyalty
“The value of software is that it does something that meets needs of users. That’s why we have a Microsoft today,” Dunham said. “Their software is easy to use, gets the job done, and [gets it] done well. Security is a factor, but the end user will tolerate it because they have the functionality they want.”
Users, especially home workers, small businesses and individuals, could lower their risk of attack immediately by using the Mozilla or Netscape browser to search the Internet, Dunham noted.
On the other hand, he added: “Corporate users have more at stake, with Internet and intranet transactions dependent on interface with IE. It’s very expensive to consider migrating to an alternative technology and training people to use it. Making such a change in a large corporation is not an easy undertaking.”
Because deployment of security patches is becoming increasingly difficult, Microsoft has begun advising customers to launch an in-depth defense model to protect against virus, worm and other malware attacks affecting their systems, applications and data.
Brad Neehan, director for e-trust security management solutions at Computer Associates, told the E-Commerce Times that security requires vigilance across the board, including not only keeping pace with antivirus software updates, but also updating all network infrastructure with the latest available software and patches to guard against any vulnerability in the environment.
“It goes far beyond Microsoft,” he said. “Regardless of the operating platform, it is critical to continue to keep updated and to assess your environment.”
Aberdeen’s Kastner concluded: “The successful denial-of-service attack on SCO is exactly the fear that national security leaders have. If there are an estimated 150,000 to 200,000 PCs still infected, with a backdoor, they could be directed to any point on the Internet. If you’re trying to run a war, that’s very problematic.”
Clearly, customers share the burden of protecting their PC investment as Microsoft continues to battle those who exploit its software security flaws.