Microsoft Patches Fail To Fix Dangerous Security Flaw

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.washingtonpost.com/wp-dyn/articles/A13587-2004Jan13.html

By Brian Krebs
washingtonpost.com Staff Writer
January 13, 2004

Microsoft Corp.'s latest round of software patches fails to fix a flaw 
in its Internet Explorer Web browser that makes it easier for online 
criminals to dupe people into disclosing their credit card numbers, 
passwords and other private data.

Security experts were hoping that the patches, which were released 
today, would address the problem, but a Microsoft official said that 
the company is still devising a fix.

The flaw lets criminals control the information displayed in the 
address bar of Explorer's browser window. It was most recently used to 
trick people into visiting a forged version of the Citibank Web site. 
Once there, users were prompted to share personal identification and 
credit card account numbers. Citibank today warned people to steer 
clear of an e-mail that links to the fake site.

Security experts said that the flaw is easy to exploit.

"I could teach any grade school kid how to do it," said Ken Dunham, 
malicious code manager for Reston, Va.-based security company 
iDefense. "I'm very concerned for the Internet public at large because 
this is one of the most dangerous trends we've seen emerge."

The scheme is gaining notoriety after criminals sent e-mails earlier 
this month to customers of the PayPal online payment service and two 
British financial institutions that linked to fake Web sites. Last 
week, an e-mail scam tried to steal information from subscribers to 
Earthlink, the nation's third-largest Internet service provider.

"From a consumer standpoint, this is probably the most severe security 
flaw I'm aware of right now," said Johannes Ullrich, chief technology 
officer for the SANS Institute's Internet Storm Center, which tracks 
online attacks.

The false Web sites are the latest twist on "phishing scams," e-mails 
that lure customers into divulging their personal and financial 
information.

Roughly 5 percent of people who are actual customers of a company 
targeted by the bogus e-mails fall for the scams, said David Jevans, 
senior vice president at Tumbleweed Communications in Redwood City, 
Calif. Jevans also serves as chairman of the Anti-Phishing Working 
Group, a group of banks and e-mail security companies that fight 
phishing schemes.

"This is a highly profitable venture for people because there is 10 
times more money to be made in phishing scams than through regular 
spamming," Jevans said.

Experts called the Citibank ruse one of the most convincing. It began 
with a Web-based e-mail bearing the bank's trademark design, colors 
and logo. The message said that the company had suffered some problems 
with its data storage due to fraud activity, and urged customers to 
check their account balances.

"Citibank notifies all it's [sic] customers in cases of high fraud or 
criminal activity and asks you to check your account's balances. If 
you suspect or have found any fraud activity on your account please 
let us know by logging in at the link below," it said.

Security experts said that by failing to issue a patch to fix the 
problem, Microsoft is ignoring a serious problem.

"I see this trick being used in the wild almost daily now, and they 
definitely need to do something about it," said Ullrich.

Vincent Weafer, senior director of anti-virus company Symantec 
Security Response, said that the vulnerability also can be used to 
spread "backdoor Trojans," programs that allow hackers to control a 
victim's computer.

Several viruses have used clever e-mails to fool consumers into 
downloading Trojans disguised as critical security updates from 
Microsoft. Using the Explorer flaw could trick users into believing 
they are visiting Microsoft.com while they are downloading a Trojan 
from a bogus site instead, Weafer said.

"This vulnerability has all the ingredients needed for the propagation 
of malicious code, and I absolutely believe it will eventually be used 
for that purpose."

A Microsoft spokesman said the company is working deliberately on 
developing a patch to make sure it does not disable other features in 
the Windows operating system or prevent users from visiting legitimate 
Web sites.

"An incomplete patch can almost be worse than no patch at all," said 
Stephen Toulouse, security program manager with the Microsoft Security 
Response Center.

Today's batch of security updates is the third Microsoft has released 
since it announced that it would issue them on a monthly basis. 
Microsoft chief executive Steve Ballmer announced the change in early 
October following criticism that the company is not doing enough to 
protect Windows users. Microsoft said it made the changes to help ease 
the burden on system administrators by making its patching process 
more predictable.

The three patches Microsoft released today involve programs and 
vulnerabilities commonly found in corporate networks, not home user 
systems. One vulnerable component, however, a Web database management 
program known as "Microsoft Data Access Components" is shipped with 
nearly all versions of Windows. Users can check which updates they 
need to download at this Windows Update site.

For a safe demonstration of the Microsoft IE vulnerability, click here 
(this will only work for Internet Explorer users).

For information on how to protect yourself against phishing scams in 
general, check out the Federal Trade Commission Web site or 
anti-phishing.org.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.