Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Internet Explorer Still Vulnerable

By David Worthington, BetaNews

July 7, 2004, 4:58 PM

A self-appointed security sleuth has uncovered a new vulnerability in Microsoft's Internet Explorer web browser that bears a close resemblance to the Download.Ject exploit. Although Microsoft patched Download.Ject last week, Dutch security expert Jelmer Kuperus found that Microsoft's efforts to fix the problem did not go far enough.

By making slight modifications to the Download.Ject source code Jelmer has successfully bypassed the browser's latest security update. Jelmer's technique draws on a hole in the Shell.Application ActiveX object - similar to ADODB.Stream - to gain unrestricted access to Windows machines.

Jelmer has posted sample code to the Web.

A Microsoft Spokesperson acknowledged that the software giant was aware of the problem and working diligently to correct it; however, the spokesperson claimed that Microsoft did not know of any instances where customers were impacted by the exploit.

In the meantime, before Microsoft delivers a series of updates to Internet Explorer in the coming weeks, customers can read up on Microsoft's safe browsing tips and practice safe computing to protect their PCs.

"This is disturbing but not surprising," said Yankee Group Senior Analyst Laura DiDio. "In the 21st century computing security updates are the most fleeting of all. Hackers are getting better at their craft and collaborating more."

DiDio continued, "When it comes to Microsoft there are clearly unassailable facts: Microsoft is the world's number one software maker and the first target of hackers. If anyone is subject to repeated attacks there will be a success rate. This will not change anytime soon."

Add a Comment (31 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By wormeyman

posted Jul 10, 2004 - 5:05 AM

I LOVE knifed IE icon btw it is pretty hilarous.

Score: 0

By Morsel

posted Jul 8, 2004 - 3:06 PM

I agree that FireFox is the way to go. In fact, I try to stay away from IE6 as much as possible now because it just plain suck. They use to update this browser frequently when battling Netscape and once the battle was won they turned it off! What about IE 7.0? Tabbed-browsing? stable Pop-up blocker? That's what users want now.

Score: 0

By reverand

posted Jul 9, 2004 - 4:21 AM

Guys its not like firefox is immune to secutiry holes, 0.9.2 was released becuase a shell exploit security hole was discovered. (this vulnerablity is similar to Download.Ject)

Score: 0

By jrepin

posted Jul 9, 2004 - 4:19 PM

Yeah it was released because Windows shell protocol is a security risk. And all that Mozilla is doing now is that they block this from runing with their products. For exmaple Firefox 0.9.1 on other OSes like Linux and Mac OS are still safe. So it is nothing wrong with Mozilla, only that it left to run some insecure Windows component to run with it.

Score: 0

By Kircle

posted Jul 9, 2004 - 7:57 AM

I don't think anyone is arguing with you on that. What we are saying is that Mozilla development is much more responsive than Microsoft's IE development. Mozilla appears to be constantly doing something: adding useful features, reducing uneeded bloat, fixing security issues in a *timely* manner, and in general optimizing their code.

Score: 0

By slentz

edited Jul 8, 2004 - 11:22 PM

Look at MSN. It has be updated 3-4 times in the last 2 years (the same amount of time since they last updated IE). It has the pop-up blocker, spam filter (OE can use it) and other things. I think Mircosoft is just trying to be the first co. to make it to the $1,000,000,000,000 mark (like they need it).
They were going to send IE 7 out with XP SP2, but I haven't seen it.

Score: 0

By acey99

posted Jul 8, 2004 - 3:58 PM

Geeze,
What's it going to take? Everytime you turn around there's anoter bug in IE that allows a person to "Gain access to your system" or "Makes your system Vernable to attack".. Using a Mozilla Based browser (Mozilla, Firefox, etc) is the cure, hopefully soon the Mozilla orginization gets started on the Windows explorer shell replacement soon.

When Will MS learn their stuff is crap ?

Score: 0

By utomo

posted Jul 7, 2004 - 10:47 PM

Microsoft need to work more harder to make IE more better. after abandoned for 2 years.

Microsoft also need to update the IE download which still use the 2002 versions.
otherwise it will affecting the windows and other product images.

Score: 0

By Aaroniekins

posted Jul 7, 2004 - 5:30 PM

Who cares if IE is vulnerable when the alternatives are better faster and MORE SECURE

Score: 0

By Kircle

posted Jul 7, 2004 - 7:21 PM

Because users do not always have a choice in deciding what browser to use. Sites sometimes require IE. Good example of a high profile heavily visited website? MSNBC. To access the entire site you need to be running IE on Windows. Seems ridiculous since up until recently this restriction didn't exist. IE on a Mac doesn't even qualify.

Score: 0

By rijp

posted Jul 9, 2004 - 5:23 PM

Do you people actually read what you type, or you just spouting bad informtion again? Did you try MSNBC with Firefox or Mozilla, or even Netscape. I have all 3. It works fine. WTF are you talking about? You should really stick being a user, and trying to get attention for yourself, because you don't know what you are talking about. And another thing, all you microsoft haters out there, if you don't like it so much, and all you can do is piss on it, and bad mouth it, QUIT USING IT! Its real simple. You don't like it, great, you and your circle of 50 friends that use something else, should be very happy, the only reason Microsoft gets press, is because they are huge, and you are jealous. So quit being a ranting baby, use your *OTHER* browser, and shut the hell up.

Score: 0

By Kircle

posted Jul 12, 2004 - 6:03 PM

I am not a Microsoft hater, so please don't label me as such. If Microsoft produced the best web browser available, then I would use it in a second. In fact, I DID use IE for quite a while until Mozilla began to mature and overtook IE.

Regarding your other comment, read my comment below for more information on exactly what part of MSNBC does not work on Firefox. Thanks.

Score: 0

By jrepin

posted Jul 8, 2004 - 12:05 PM

Just another example of badly coded site. And even on purpose. No wonder Microsoft gets sued for unfair competition all the time.

Score: 0

By rijp

posted Jul 9, 2004 - 5:25 PM

All time time? Where did you read this, your local school newspaper? That's old, jackass. They were sued ONCE. And the justice department dismissed all charges. Yeah, way to keep up with current events there, mr. wizard.

Score: 0

By Akirhol

posted Jul 7, 2004 - 10:17 PM

MSNBC works fine in Firefox, I'm on it right now, checkin' out the latest headlines...

I've been using Fox for awhile now, and have yet to find a website that I couldn't browse. There are a couple of features that don't work here and there, but I can live with that knowing I'm not using a slice of swiss cheese for a web browser.

Score: 0

By Kircle

edited Jul 7, 2004 - 10:51 PM

You cannot access any of the video content. This wasn't the case before the redesign. Other MSNBC features that were accessible before such as the popular This Week in Pictures became only compatible with IE on Windows for like a month, but they finally caved on that.

Note that this was a fairly recent change to their website (December 2003 I believe). Sorry, I did mention being unable to access the "entire site," but in hindsight I probably should have emphasized it.

Edit: So what I find odd is that in a time where most sites out there are trying to become more compatible with various browsers and operating systems, you have a site like MSNBC that purposely added additional restrictions on content access. So, like I said, sometimes a user doesn't have a choice on what browser they can use. For me, I sometimes have to walk from my Mac to my PC / or walk from my Mac and turn on my PC / or reboot from Linux into Windows just so I can watch a specific NBC News video.

Score: 0

By speedmeister

posted Jul 8, 2004 - 3:43 PM

While you are right in saying that some pages on msn bc don't always work properly in other browsers I think that for many people that is a non issue. I think many people generally have other news sites that they enjoy going to. When push comes to shove I think many people will prefer the inconvenience of finding another news page than having to deal with the problems that are brought on by internet explorer. I don't really think that there is enough exclusive content there keep most people from abandoning internet explorer if they dislike the browser.

Score: 0

By Kircle

posted Jul 9, 2004 - 7:51 AM

Quoted from their FAQ: MSNBC supports the most popular browsers and operating systems as measured by viewer usage.

In other words, MSNBC only fully supports IE on Windows. You're right, of course. But I can't help ponder if their stats are partially skewed towards one browser and OS simply because they do not fully support anything else.

Score: 0

By rijp

posted Jul 9, 2004 - 5:30 PM

So if I am to follow your lame logic, and quoting that site "most popular browsers" that tells me that People actually *prefer* internet explorer. Maybe if Mozilla can actually conform to A standard, they might get somewhere. And, like i mentioned before.. it works fine. Maybe you are just so blinded by the fact that you like Mozilla, and have a problem with Microsoft, you are overlooking the obvious. The fucntionality for MSNBC works fine for Netscape AND Mozilla.. been working for years. What you blind? Show me a specific example of what DOESN"T work. I am switching between both right now.. I don't even see a difference, perhaps you need to just calm down, and actually give useful information, instead of propagating more Microsoft lies, there buddy.

Score: 0

By Kircle

posted Jul 12, 2004 - 6:15 PM

Try to watch a NBC News video in Firefox. You can't. I already stated this above of course, but I'll assume you skimmed over it and repeat it for your sake.

My conclusion still stands. Sometimes people do not have a choice to not use IE.

Score: 0

By yohimbe9

posted Jul 7, 2004 - 9:43 PM

i don't get it, what part of MSNBC doesn't work in firefox? i just test 0.9.1 and it worked fine. i also fired up safari on my mac and it ran fine, too.

Score: 0

By Kircle

posted Jul 7, 2004 - 10:52 PM

Sorry, I go more indepth above in my response to Akirhol.

Score: 0

By esh3

posted Jul 7, 2004 - 7:36 PM

Does it surprise you that only IE will work on MSNBC? They surely don't want FIREFOX loading the MSNBC website faster than IE. Got to give Microsoft credit tho they keep trying whenever they can. Gatesism at it's best. Peace out.

Score: 0

By rijp

posted Jul 9, 2004 - 5:31 PM

Yeah, your post.. ignorance at IT's best.

Score: 0

By Kircle

posted Jul 7, 2004 - 10:54 PM

Just to claify, only parts of MSNBC is not accessible to browsers other than Windows IE.

Score: 0

By geekymom

posted Jul 7, 2004 - 10:16 PM

I second that. I have Firefox 0.9.1 and I had no problems on MSNBC.

Score: 0

By Kircle

posted Jul 7, 2004 - 10:55 PM

Sorry for my ambigious comment. Please see my response to Akirhol above.

Score: 0

By ScReWfAcE

posted Jul 9, 2004 - 7:00 PM

Do any of you guys realize that IE 6 is WAY better with WindowsXP SP2.

Ever since I installed the SP2 I have yet to get a adware, spyware or Popups.

SP2 IE has a GREAT Built-in popup blocker...(IMHO better than any ADDON) updated Firewall that's really useful.

I believe with its finally released it will be real secure.

Score: 0

By geekymom

posted Jul 12, 2004 - 3:17 PM

Yea, SP2 is still too buggy in my opinion. Firefox works just fine, thank you.

Score: 0

By VikingBlade

posted Jul 10, 2004 - 7:50 AM

Still good to get Quik-Fix.
http://www.pivx.com

Score: 0

By irdepesca572

edited Jul 10, 2004 - 10:54 AM

lol not bad

I think Mozilla is still good though :P

Score: 0

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue