[ISN] MS hatches July patch batch
InfoSec News
isn at c4i.org
Thu Jul 15 04:40:37 EDT 2004
http://www.theregister.co.uk/2004/07/14/ms_july_patches/
By John Leyden
14th July 2004
Microsoft released seven new patches yesterday. There's some help for
IE users worried about last month's Download.Ject security scare, but
you are going to have to wait for a comprehensive fix.
Two of the fixes - involving flaws with Windows Task Manager (MS04-022
(http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx))
and the HTML help function used by Internet Explorer (MS04-023
(http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx))
and - are deemed to be critical. Either of these flaws could be used
to take control of vulnerable systems, Microsoft warns.
Redmond also released a patch MS04-021
(http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx) for
a less serious flaw involving older versions of its Internet
Information Services Web server software (IIS 4.0). This along with
fixes for flaws involving the user interface, or shell, or Microsoft
Windows (MS04-024
(http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx));
Microsoft Windows Utility Manager (MS04-019
(http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx))
and POSIX Subsystem of Microsoft Windows (MS04-020
(http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx))
are described by Microsoft at important. Finally there’s an update
designed to fix a moderate vulnerability with Outlook Express
(MS04-018
(http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx)).
Separately Microsoft released a tool
(http://www.microsoft.com/security/incident/download_ject.mspx) to
clean up machines infected during last month's Download.Ject security
flap. Users visiting a website contaminated with Download.Ject
activated a script that downloaded a Trojan horse (called Berbew) from
a website in Russia. This website was rapidly taken down, but the
underlying vulnerability in Internet Explorer used in the
Download.Ject attack remains unpatched, despite a workaround from
Microsoft designed to limit the scope for mischief.
Redmond released these configuration changes earlier this month and
yesterday followed up tool to remove variants of the Berbew Trojan
from infected systems. Berbew (http://www.lurhq.com/berbew.html) (AKA
Webber or Padodor) is capable of extracting passwords and login
details from victims and forwarding this confidential data to
crackers.
The risk posed by future Download.Ject-style attacks prompted security
clearing house US-CERT advise users to ditch IE, a call repeated by
security experts today.
Thomas Kristensen, CTO at security firm Secunia, told El Reg: "There
are a variety of vulnerabilities with Internet Explorer that have been
around for a while and are been actively exploited. Several are
unpatched. We recommend our customers to use another browser for
general web surfing and to limit their use of IE to trusted websites
where its functionality is required, such as banking websites."
More information about the ISN
mailing list