commentary In July of 2003, Microsoft released a patch for a flaw within Windows' RPC DCOM, a flaw that by August of 2003 gave rise to the MSBlast worm.
Well, history repeats itself. On July 13, 2004, Microsoft released seven new Windows patches, two of which are deemed critical by the software giant. I'm willing to bet that it will be from one of these seven that a major new worm or virus will be born sometime in August.
I've talked before about what I call the Eschelbeck Theory, named after Gerhard Eschelbeck, a security researcher at Qualys. The theory states that only half of the vulnerable systems in the world are patched within the first 30 days of a patch's existence, and that within that same 30-day period, someone invariably releases a virus or a worm to take advantage of the still-vulnerable systems. Given that, the clock is already ticking on these new Microsoft vulnerabilities. Of course, several of the newly announced flaws also involve Internet Explorer in some way.
New Microsoft holes
One of the new Microsoft Security bulletins, MS04-023, involves Windows' HTML Help, a feature that provides help information within Windows but requires Internet Explorer to render it. Another flaw, MS04-022, involves the Windows Task Scheduler, an app that allows Windows to run programs at specified intervals, such as backup apps. Both of these critical updates can be exploited using Web site code rendered through Internet Explorer and Outlook, making them prime targets for crackers.
Another announced flaw targets Windows' Com subsystem, and a public exploit already exists for this. Although Microsoft considers it only an "important" update, many security experts caution that it should be treated as "critical," since the public exploit could quickly become a virus or worm.
Other flaws included within Microsoft's July security update include one involving a buffer overflow in IIS 4.0, a buffer overflow error in POSIX, privilege escalation among local users, and a potential denial-of-service attack on Outlook Express users.
IE is dead; long live IE
These aren't, of course, the first vulnerabilities in IE. A few weeks ago, I declared that Internet Explorer wasn't safe for online banking.
I got a ton of e-mail after that last column about how to make IE safer. The problem is that in Windows Me, 2000, and XP, you can't turn off Internet Explorer. It's too deeply married to your Windows operating system. Internet Explorer renders the HTML e-mail you receive in Outlook, the HTML text you see in Word, even the HTML Help files used within Windows applications. So if something seemingly minor breaks within the HTML Help file (which it did), a criminal hacker (cracker ) need only use your Internet Explorer to exploit it. Which may yet happen.
OK, you can disable IE. But doing so involves tweaking the system registry, the instructions for which are far too complicated for me to explain here.
So what can you do? As I've said before, it may be time to switch. According to one report, after some security officials advised users to move away from Internet Explorer, the use of IE actually decreased. Mind you, we're talking about a 1 percent drop, from 95 to 94 percent. Still, there was some erosion in the Internet Explorer dominance. But where should everyone go?
Unfortunately, the current browser alternatives are not without their own vulnerabilities. Shortly after I recommended using Mozilla or Firefox, new security flaws were discovered in both. It goes to show that when criminal hackers turn their attention to a target (even to a non-Microsoft target), they can usually find a flaw or two. Fortunately, the solution here is to download the very latest versions of Mozilla or Firefox.
The best way to prevent another MSBlast-like attack on your desktop PC within the next few weeks is to install the latest Microsoft patches, keep your anti-virus software up-to-date, and (if you haven't already) install a personal firewall. (Office users should first check with their IT staff to see whether this advice is appropriate.)
As for Internet browsing, I'm staying with Firefox for the time being. New plug-ins are becoming available, so I think it's just a matter of time before Firefox becomes the new standard for Internet browsing.