The trouble with Internet Explorer (and how to handle it)

Since the Nimda worm recently exploited a common vulnerability in Internet Explorer, one would think that Microsoft might make it easy for you and me to get our browsers up-to-date. Unfortunately, Microsoft has elected to continue its policy of piecemeal patches, even in the wake of this costly worm attack.

Since the Nimda worm recently exploited a common vulnerability in Internet Explorer, one would think that Microsoft might make it easy for you and me to get our browsers up-to-date. Unfortunately, Microsoft has elected to continue its policy of piecemeal patches, even in the wake of this costly worm attack.

Nimda exploited a vulnerability in Internet Explorer called "automatic execution of embedded MIME types." The worm created a JavaScript-infected Web page on infected servers that offered browsers a MIME type known as "audio/x-wav." Vulnerable Internet Explorer browsers used to preview this MIME type executed its malicious payload without the users' input. That's one of the ways Nimda jumped from Web servers to desktop PCs.

TO CORRECT THIS, users of Internet Explorer 5.01 need to download the MS01-020 patch. Users can also upgrade to Internet Explorer 5.5 Service Pack2 edition or the new Internet Explorer 6.0.

The latter solution, downloading the latest and greatest version of the program, would seem to be the best solution. After all, the fixes developed for previous versions should now be incorporated, right? Well, yes and no.

If you:

  • use Windows 95, 98, or Me;

  • upgrade from IE 5, IE 5.01, IE 5.01 SP1, IE 5.5, or IE 5.5 SP 1;

  • do not patch the previous version of IE 5 before upgrading to IE 6;

  • and select "Custom Install" without Outlook Express, or chose "Minimal Install" rather than the default setting...

then you are still vulnerable to the automatic execution of embedded MIME types problem, despite having Internet Explorer 6.0 on your machine.

While this may affect only a minority of people (those who choose not to go with the default settings), it might be more widespread than currently thought. Consider this: If you download Internet Explorer 6.0 on a 33.6Kbps modem, and you're already using the full-blown version of Outlook, then you might just be tempted to save a little time and not bother with Outlook Express. Unfortunately, the vulnerability resides within Outlook Express. (You see how complicated this gets?)

I've gotten e-mail from system administrators who are furious with Microsoft because they can't burn a patched version of Internet Explorer to take to every desktop in their corporation. That's not the way the game is currently played. If one wants to patch a desktop, one must download all the attendant updates and patches for that desktop. But during a crisis, particularly when a worm like Nimda is jamming the Internet with unusually heavy traffic, system administrators may not have the time to initiate downloads on each PC, especially if the patch required is a rather large download.

MICROSOFT SAYS that automatic downloads are the future, so partial updates and patches on individual desktops won't be as much of a problem. Windows Me already does this, and Windows XP will do it soon. XP users will be prompted to install the updates automatically, be reminded later, or allowed to turn off the automatic feature for manual execution at a later time. It's a start, but I foresee a long boot session that involves downloading new files every time I turn on my PC, with multiple reboots lasting until all the new fixes are installed.

There is another solution being floated. The British IT gossip site, The Register, reported Monday that at the Eleventh Virus Bulletin International Conference in Prague, Microsoft approached several antivirus vendors with the possibility of downloading MS patches along with the vendor's antivirus solutions. While vendors are cool to the idea, I can see such a proposal becoming reality.

Removing worms such as Nimda with antivirus software updates or antivirus tools doesn't remove the underlying vulnerabilities that allowed the worm to exist. I can see antivirus vendors clamoring to boast that their products will prevent the next Nimda attack.

Have you kept your IE patches up to date? Did the Nimda worm get you? TalkBack to me.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All