[ISN] MS hatches July patch batch

InfoSec News isn at c4i.org
Thu Jul 15 04:40:37 EDT 2004


http://www.theregister.co.uk/2004/07/14/ms_july_patches/

By John Leyden
14th July 2004

Microsoft released seven new patches yesterday. There's some help for 
IE users worried about last month's Download.Ject security scare, but 
you are going to have to wait for a comprehensive fix.

Two of the fixes - involving flaws with Windows Task Manager (MS04-022 
(http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx)) 
and the HTML help function used by Internet Explorer (MS04-023 
(http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx)) 
and - are deemed to be critical. Either of these flaws could be used 
to take control of vulnerable systems, Microsoft warns.

Redmond also released a patch MS04-021
(http://www.microsoft.com/technet/security/bulletin/MS04-021.mspx) for
a less serious flaw involving older versions of its Internet
Information Services Web server software (IIS 4.0). This along with
fixes for flaws involving the user interface, or shell, or Microsoft
Windows (MS04-024
(http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx));  
Microsoft Windows Utility Manager (MS04-019
(http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx))  
and POSIX Subsystem of Microsoft Windows (MS04-020
(http://www.microsoft.com/technet/security/bulletin/MS04-020.mspx))  
are described by Microsoft at important. Finally there’s an update
designed to fix a moderate vulnerability with Outlook Express
(MS04-018
(http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx)).

Separately Microsoft released a tool 
(http://www.microsoft.com/security/incident/download_ject.mspx) to 
clean up machines infected during last month's Download.Ject security 
flap. Users visiting a website contaminated with Download.Ject 
activated a script that downloaded a Trojan horse (called Berbew) from 
a website in Russia. This website was rapidly taken down, but the 
underlying vulnerability in Internet Explorer used in the 
Download.Ject attack remains unpatched, despite a workaround from 
Microsoft designed to limit the scope for mischief.

Redmond released these configuration changes earlier this month and 
yesterday followed up tool to remove variants of the Berbew Trojan 
from infected systems. Berbew (http://www.lurhq.com/berbew.html) (AKA 
Webber or Padodor) is capable of extracting passwords and login 
details from victims and forwarding this confidential data to 
crackers.

The risk posed by future Download.Ject-style attacks prompted security 
clearing house US-CERT advise users to ditch IE, a call repeated by 
security experts today.

Thomas Kristensen, CTO at security firm Secunia, told El Reg: "There 
are a variety of vulnerabilities with Internet Explorer that have been 
around for a while and are been actively exploited. Several are 
unpatched. We recommend our customers to use another browser for 
general web surfing and to limit their use of IE to trusted websites 
where its functionality is required, such as banking websites." 





More information about the ISN mailing list