I just read over at The Security Mentor that there's still debate about whether Microsoft actually closed this ADODB.Stream ActiveX hole, recently exploited by Scob, with their recent software update patch. With a little digging, I found this NTBugtraq item on an unfixed Scob variant and this Bugtraq post saying "THE VULNERABILITY STILL WORKS AFTER TODAY'S PATCH". If this is still a problem, and it looks like it is, then Microsoft hasn't closed the hole at all.
It sounds like they've known about this variant attack on ActiveX for just as long as the ADODB.Stream hole. So why didn't they patch it with the Friday software update too? The only explanations I can come up with are that either they just thought that an incomplete fix now was better PR than a more complete fix later or they have customers who depend too heavily on this Shell.Application ActiveX control so they decided they couldn't disable it like they did ADODB.Stream.
The good news is that even though Microsoft seems content to leave IE vulnerable to this Scob attack, the Windows Registry change to close the rest of the hole is available at the NTBugtraq link above.
How did this mess happen? I'm no security expert so I may be completely accurate on the technical details, but I think I've got the basics and the timeline correct and this is what I think happened:
ActiveX, combined with Windows security zones, makes it possible for IE to automatically download and install software without user intervention, that is, without the user seeing any dialogs or giving any explicit permission to that download and install. This is quite scary, and I don't think there's a Mozilla equivalent. There are several mechanisms available to ActiveX programmers to do this but all are supposed to be restricted to the safest Windows security zone, supposedly open only to intranet pages, but not the internet. It turns out, however, that zones are broken and pages on the internet can use a couple bits of ActiveX as if they were supposedly safe intranet pages.
Microsoft was informed of this problem nearly a year ago and failed to fix it. After the Scob attack broke (June 10), Microsoft spent about three weeks apparently unable to fix the real problem, so talking to important customers (big companies that standardized on IE and ActiveX) about just disabling the ADODB.Stream feature. By Friday, they had gathered enough data, and seen enough bad press, that they decided to push an update that disabled ADODB.Stream with a simple registry switch that had been publicly available from an independent security research group for the better part of the month (but not something Microsoft was loudly advertising).
Having left IE users open to this known exploit for almost a year, and then left their customers open to the "in the wild" Scob attack for about three weeks, Microsoft finally pushed out an update that worked around (rather than fixed) only part of the problem!
So, IE "features" which have been known to be insecure for quite a while, and which were being actively exploited by bad guys using high-profile banking and ecommerce web sites were partially disabled by Microsoft when the pressure from bad press (and hopefully customer complaints) got sufficiently high. This is what Microsoft calls "Trustworthy Computing"?
Posted by asa at July 4, 2004 09:37 AMThere's still debate about whethere Asa actually closed the <tt> element with his recent blog post. With a little digging, I found some page source with an open <tt> tag. If this is still a problem, and it looks like it is, then Asa hasn't closed the tag at all. ;-)
Yeah that hole is looking worse by the day. It's also looking correspondingly good for Firefox.
Posted by: Rory Parle on July 4, 2004 10:30 AMYeah, people are starting to realize that Internet Explorer is too risky to browse the internet. With more pundits saying simply 'change your browser' instead of 'patch and continue', Mozilla will benefit greatly. Of course, I hope these pundits tell their readers to still check windows update because of IE's neferious ties to the OS itself.
BTW, Mozilla has a around 20% stake on Gamefaqs, most of which use Firefox.
http://www.gamefaqs.com/poll/index.html?poll=1690
Are Windows users at risk even if they don't actively use IE?
Posted by: Greg K Nicholson on July 4, 2004 11:01 AMGreg, IE is used by other bits of Windows (like update) and may be launched by other applications even if you don't use it as your primary browser. The best thing I can think to do if you use Windows is to go into Internet options and jack up the security levels to high for all zones and go to the Advanced settings and turn off everything that sounds dangerous and turn on everything that sounds like a warning.
Maybe others have better steps to protect yourself. I'm not a regular IE user so I'm not terribly familiar with all the switches.
--Asa
Posted by: Asa Dotzler on July 4, 2004 11:22 AMGreg: yes. Many shady products can still access ActiveX and such from the OS I believe.
Posted by: rgw on July 4, 2004 11:22 AMUnfortunately this comes a little too early for us to aggressively push Firefox. We need to make sure to stick to our stated schedule so that we can get Firefox 1.0 out of the door before people forget about this, and return to their "patch and continute" mentality.
Posted by: Ali Ebrahim on July 4, 2004 01:52 PMIt's hard to push Firefox if it isn't translated. Instead I see Mozilla 1.7 with nice browser and mail integration and translated. Guess which one is my recommendation.
Posted by: Alfonso on July 4, 2004 02:18 PMThen go and translate or ask for help in the NGs if you can't
Posted by: Abdulkadir Topal on July 4, 2004 04:15 PMIt's the customers. They're also why XP shipped with adding new users as admins by default.
Posted by: gman on July 4, 2004 08:35 PMall of your 'comments' and 'suggestions' about continuing to use windows and various other 'adequate' but still unsecure browsers amazes me. why don't you all be part of the solution instead of fueling to the problems and further endorsing MICRO-soft
LINUX LINUX LINUX
slackware.com