Microsoft Patches IE Flaw Used in Trojan Attacks

by Alex Woodie

Microsoft unveiled two patches yesterday, the final round of patches expected from the software vendor this year. Yesterday's haul includes a cumulative patch that fixes several newly discovered vulnerabilities in Internet Explorer, including a critical flaw that was being exploited by Trojan horses, and which could let an attacker gain total control over an affected computer. The second patch fixes a less critical "elevation of privilege" vulnerability found only in Windows 2000 Service Pack 4.

It has been a long year for Microsoft's security research department, which yesterday issued the final regularly scheduled patches for 2005. But with exploit code for a months-old IE vulnerability circulating the Web, and Trojan horses finding their way onto people's PCs, this crew has had no time to relax over the last couple of weeks.

IE users are encouraged to immediately apply the patch found in Microsoft Security Bulletin MS05-054. This is a cumulative patch that fixes four vulnerabilities in IE, including one known as the Mismatched Document Object Model Objects Memory Corruption Vulnerability. This is the flaw that malicious code writers are currently using to take complete control over victim's computers when they visit a malformed Web site, and it is also the flaw for which Microsoft had considered issuing an out-of-cycle patch due to the damage the Clunky-B, Delf-LT, and like-minded Trojans are causing (see "Microsoft Looking Into Critical Security Vulnerability in IE").

Other flaws fixed by this patch include the COM Object Instantiation Memory Corruption Vulnerability, another critical problem that could let attackers take complete control of any copy of Windows running IE version 5 or 6; the HTTPS Proxy Vulnerability, a moderately dangerous vulnerability in the way IE handles basic authentication that could allow an attacker to read Web addresses in clear text despite it being sent over an HTTPS connection; and the File Download Dialog Box Manipulation Vulnerability, another moderately dangerous flaw that could lead to remote code execution. None of these flaws, which are a combination of publicly disclosed and privately reported vulnerabilities, are being exploited by attackers, according to Microsoft's knowledge.

Only customers running Windows 2000 SP4 should worry about the second patch issued yesterday, Microsoft Security Bulletin MS05-055. This patch fixes a newly discovered, privately reported flaw in the Windows 2000 SP4 kernel that could allow a user who's logged on to take complete control of the system. This flaw, which was discovered by eEye Digital Security, is not yet being exploited by hackers or malicious software writers, according to Microsoft.

Unless Microsoft issues an out-of-cycle patch--which it keeps threatening to do, but which it rarely does-yesterday's two patches will be Microsoft's last for the year. If there are no more patches, the number of security patches issued for 2005 will total 55. This compares to 45 patches for 2004, 51 for 2003, 72 for 2002, and 60 for 2001. While each patch can fix multiple flaws, these numbers give us some barometer for measuring the security-related actions taken by Microsoft, which has made security one of its top priorities for the last two years.