Microsoft Confirms 'Highly Critical' IE Hole

[mandy]

Microsoft plans to release a pre-patch advisory to provide mitigation guidance and workarounds for a code execution browser flaw that could lead to PC takeover attacks. The flaw puts the computers of millions of Internet Explorer users at risk...

The vulnerability was confirmed on a fully patched system with IE 6.0 and Microsoft Windows XP SP2. It has also been confirmed in IE 7 Beta 2 Preview, Secunia said.

The MSRC (Microsoft Security Response Center) said in a blog entry that users of the new refresh of the IE7 Beta 2 Preview announced at Mix '06 are not affected...

full article: http://www.eweek.com/article2/0,1895,1941507,00.asp

One note: there are 2 versions of IE7 Beta 2 Preview-the version released in February and the 2nd version released on 20/3/2006.  In order to install the 2nd version you must first uninstall the 1st version.  The 20/3/2006 release is not affected by this bug, but all other versions of IE6 and IE7 are affected.

You can download the 20/3/06 IE7 release here: http://www.microsoft.com/windows/ie/ie7/...irect.mspx

[bargainbloodhound]

In order to install the 2nd version you must first uninstall the 1st version.

Which is a friggin' PITA. 

The microsoft announcement has more information: http://www.microsoft.com/technet/securit...17077.mspx

[mandy]

Update: an exploit was released on the Web and attackers are hitting IE:

Microsoft confirms a wave of drive-by downloads targeting a zero-day browser vulnerability and says Internet Explorer users can expect a patch on April 11, if not sooner.

Malicious hackers are using hijacked Web servers and compromised sites to launch a wave of zero-day attacks against an unpatched flaw in Microsoft's Internet Explorer browser.

The first wave of drive-by downloads was spotted on March 25, and security experts tracking the attack say the threat is growing at a rate of 10 new malicious URLs every hour.

full article: http://www.eweek.com/article2/0,1895,1942570,00.asp

[mandy]

A related turn of events:

The ongoing zero-day attacks against users of Microsoft's Internet Explorer browser have taken an ominous, social-engineering twist.

According to an alert issued by Websense Security Labs, in San Diego, excerpts from actual BBC News stories are being used to lure IE users to Web sites that launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.

One version of the spammed e-mail seen by eWEEK contains a portion of a BBC News item published on March 27 about the Chinese yuan hitting a post-revaluation high against the U.S. dollar.

After the legitimate excerpt, the hackers embedded a "read more" link that points to a Web site that contains a spoofed copy of the BBC News story from the e-mail...

full article: http://www.eweek.com/article2/0,1895,1944579,00.asp

[mandy]

Micrsoft will release a patch for this security hole on Tuesday.  A fix for the other security hole that was discovered late last week will not be patched tomorrow however.

A fix for a widely exploited flaw in Internet Explorer is among five security patches Microsoft told users to expect next week.

Following weeks of speculation whether the CreateTextRange vulnerability would force the software giant to break from tradition and release a special patch, Microsoft said Thursday the patch is among four others slated for April 11.

The company expects to release five security patches: four (including one deemed "critical") affect the Windows operating system and one addresses a "moderate" vulnerability in Microsoft Office. ..

full article: http://news.earthweb.com/security/article.php/3597546

[regic]

Update:

Microsoft Tuesday released five security bulletins that patched 14 different vulnerabilities, including an awaited fix for Internet Explorer, the browser which has been victimized for weeks by multiple exploits installing adware, spyware, and keyloggers on users' PCs.

Three of the bulletins were tagged as "critical," one as "important," and the fifth as "moderate;" that last is Microsoft's second-from-the-bottom alert.

However, the majority of the 14 bugs in the 5 bulletins were labeled "critical" by the Redmond, Wash. developer, meaning that they should be patched as soon as possible. Of the 9 critical flaws, 7 relate to the MS06-013 security bulletin, a massive update for Internet Explorer 5.0 and 6.0 (but not, apparently, the Beta 2 Preview of IE 7).

full article: http://www.informationweek.com/news/show...=185300437

[mandy]

Update:

An Internet Explorer update released earlier this week can interfere with some applications, including Google's Toolbar, according to PatchLink, a maker of patch management software.

Other applications affected by the Web browser patch include business software from Oracle's Siebel customer relationship management unit and certain Web applications that use specific versions of Java, PatchLink said Friday.

The problems arise because of changes Microsoft made to how the Web browser handles Web programs called ActiveX controls....

full article: http://news.com.com/Company+warns+on+IE+...g=nefd.top

[Kristijntje]

More news on the problems caused by Microsoft's latest patch:

Two patches released in Microsoft's April batch of security updates are causing system hangs, Windows crashes and the appearance of strange dialog boxes...

Windows users deploying the MS06-015 update have also complained about problems accessing special folders like "My Documents" or "My Pictures."

In addition, the update is causing Microsoft Office applications to stop responding when Office files are saved or opened in the "My Documents" folder; system freezes when opening a file through an application's file/open menu; and lockups when typing a URL into IE...

full article: http://www.eweek.com/article2/0,1895,1950095,00.asp

[mandy]

Update: Microsoft will be reissuing a fixed version of the recent MS06-015 update which has been causing lockups and crashes for users.

The Redmond, Wash. software maker plans to rerelease the problematic MS06-015 update on April 25 to correct an issue that has caused system hangs, Windows crashes and the appearance of strange dialog boxes after the original patch was installed.

"[We have] re-engineered the MS06-015 update to avoid the conflict altogether," said Stephen Toulouse, program manager in the Microsoft Security Response Center.

The company's plan is to target the rerelease only to Windows users who are affected. In a blog entry, Toulouse said the company's patch deployment technologies will have "detection logic" built into them to only offer the revised update to customers who don't have MS06-015 or are having the problem....

full article: http://www.eweek.com/article2/0,1895,1952463,00.asp