Interim Fix Released for Critical IE Flaw

Microsoft released an emergency configuration update over the July Fourth U.S. holiday that for the first time gives Internet Explorer users protection against the specific vulnerabilities exploited by the Download.Ject attack.

"We recommend that customers immediately install this configuration change through Windows Update," Microsoft said in a statement released Friday evening.

Microsoft's decision to release the configuration update 11 days before its next regularly scheduled Patch Tuesday on July 13 underscores what a serious problem the IE flaw represents. It is only the second time Microsoft has patched a flaw on any day other than the second Tuesday of the month since the company moved to a monthly patch cycle in October.

Meanwhile, the new patch protects against one specific way attackers can use the IE flaw, but more comprehensive fixes for Internet Explorer are necessary. Microsoft says it is working on releasing a comprehensive update of IE. The stopgap configuration update is currently available for Windows XP, Windows Server 2003 and Windows 2000. Microsoft is working on versions for Windows 98 and Windows Me.

The Download.Ject attack is one of the rare cases where a major vulnerability exploited by an attack in the wild has not already been patched by Microsoft days, weeks or months before the exploit code emerged.

Download.Ject relies on two vulnerabilities. One, in the Internet Information Services (IIS) 5.0 component of Windows 2000, was patched by Microsoft in April. The other, in Internet Explorer, apparently emerged with an adware exploit in early June, and had not been fixed despite its severity. The unpatched flaw in the Web browser gives attackers the opportunity to execute code on a user's computer without any user action other than visiting a URL where malicious code lurked.

While it is relatively hard for attackers to lure large numbers of users to sites created for such malicious purposes, the Download.Ject attackers used the IIS 5.0 flaw to compromise servers at several high-traffic sites. With no IE patch available for the flaw, end users had no defense against the two-part attack. Several prominent security officials recommended users abandon IE altogether until the problems were fixed.

"We have been working around-the-clock to further address the criminal malware targeting Internet Explorer users," Microsoft said in the statement announcing the configuration update.

The company's first response upon learning of Download.Ject on Thursday, June 24, was to work with law enforcement authorities and ISPs to shut down a Web server in Russia that Microsoft says was the origination point of the attack.

Microsoft described its configuration update as improving resiliency to protect against the Download.Ject attack. The Internet Storm Center, run by the SANS Institute, explains that the patch turns off the ADODB.Stream ActiveX Control that was used to install malware on PCs in the original attack. "However, … even after 'ADODB.Stream' is disabled, it is still possible to launch programs on the users system without user interaction," SANS warned.

Microsoft said further security updates to Internet Explorer will arrive "in coming weeks." Microsoft has said that technologies in Windows XP Service Pack 2 protect IE users against vulnerabilities like those used in Download.Ject, but the company offered no more definitive word on when SP2 would ship.

The Microsoft statement also indicated that an overhaul of Internet Explorer for several platforms was on the way. "A comprehensive update for all supported versions of Internet Explorer will be released once it has been thoroughly tested and found to be effective across a wide variety of supported versions and configurations of Internet Explorer."

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • What Money in Excel Means for the Future of Microsoft 365 Apps

    Microsoft's new personal finance tool hints at what's in store for next-generation Office applications, from more third-party integrations to subscription requirements.

  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.