IE Security Flaw Upsets Microsoft Patch Schedule
A new, potentially critical flaw in Microsoft's Internet Explorer Web browser has been disclosed throughout public forums, while Redmond has yet to issue a single security bulletin for the month of December.
In the absence of direct action by Microsoft, the Demark based security firm Secunia issued its own advisory detailing the exploit earlier this week. Soon after, the author followed up with a demonstrative URL posted to the BugTraq security mailing list.
This latest flaw works by "spoofing" a legitimate domain name in the address bar by way of a specially crafted URL, opening up the door to convincing "phishing schemes" and cross site scripting attacks.
Phishing schemes make use of social engineering to obtain site passwords, credit card numbers and other personally identifiable information including social security numbers.
According to WhiteHat security researcher Jeremiah Grossman, the basic premise behind the IE flaw is "URL Obfuscation."
"Normally when this attack is executed, the URL looks similar to: http://email@example.com/index.html. The spoofed URL makes the Web page appear to be form www.microsoft.com, when it is actually located on www.foobar.com," explained Grossman.
"The interesting aspect of this flaw is when "%01" and "%00" are tacked on after the username and before the @. The visual URL in the browser then becomes http://www.microsoft.com with nothing following to give away the actual Web page location. There is no way to verify visually where the Web page is actually located. Very clever."
Published reports indicate that only Internet Explorer is affected by the attack.
For its part, Microsoft is aggressively investigating all reports of a possible vulnerability in Internet Explorer. While it has yet to receive notice of any affected customers, Microsoft has left open the possibility that it will distribute an "out of cycle" update, breaking from its defined monthly cycle of security patches.
Commenting on the alleged vulnerability, a company spokesperson told BetaNews, "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities."
"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities with no exposure to malicious attackers while the patch is being developed," said Microsoft
Far from crying mea culpa, Microsoft claims that the vast majority of attacks and emergence of malicious code occur after the company highlights its own bulletins, fostering the decision to release bulletins on a scheduled basis.
Industry Questions Strategy
However, not everyone in the industry sees Redmond's modified disclosure policy as the silver bullet against malicious hackers.
"The IE flaw red flags Microsoft's strategy around responsible disclosure. The company believes potential flaws should not be made public until Microsoft has had a chance to investigate them and, when necessary, develop a patch," Joe Wilcox, senior analyst for Jupiter Research, told BetaNews. "But, that assumes the people looking for flaws are all responsible. In reality, people dig for flaws for lots of reasons - just for the heck of it, to hurt Microsoft or for competitive pecking."
In the meantime, before a fix is released and while industry pundits argue over proper disclosure, Microsoft advises its customers to follow its "Protect Your PC" guidance program by enabling a firewall, installing all available product updates and employing anti-virus software.
Internet Explorer is due for a version upgrade featured within the release of Windows XP Service Pack 2. The new edition of IE will tout added pop-up blocking technology aimed at locking down the browser. But the next major IE overhaul is not slated until the next release of Windows, code-named Longhorn, which is due in 2006.
According to testers, the first beta release of Windows XP SP2 will go live sometime next week.
A beta of Windows Update version 5 will coincide with the service pack, as Microsoft aims to improve Windows patches and avert mixed signals that have plagued customers as of late.
While no patches were to be distributed for the month of December, users of Windows Update found themselves alerted to the existence of a critical update for Windows XP on December 10.
The patch and security bulletin, numbered MS03-051, was initially released on November 11, 2003 to remedy a vulnerability in Microsoft FrontPage Server Extensions.
Although the patch was sent through Microsoft's distribution vehicles prior to this month, an error in a December 9 update to Windows Update's detection engine caused the patch to be displayed, sparking a certain degree of confusion among customers.