With computer professionals still reeling from last week’s worm and virus attacks, Microsoft just yesterday released warnings that there are “critical” flaws in Internet Explorer 5 and 6 and “important” flaws in every recent version of Windows.
The IE issues are addressed by Microsoft security bulletin MS03-032, while the other issues are addressed by MS03-033. My analysis of these problems and the patches Microsoft has issued is given below.
- MS03-032: Internet Explorer 5 and 6 leave you open to Trojans
The danger level of this new problem is described by Microsoft as “critical” for most users of IE 5 and 6, but only “moderate” for users of IE 5 and 6 on Windows Server 2003. I recommend, however, that everyone install the patch provided by Microsoft, even on Windows Server 2003. Let me elaborate.
A mere e-mail message can infect you. The flaw in IE 5 and 6 can be exploited by a malicious person merely by sending you an e-mail that you open or preview in Microsoft Outlook, Outlook Express, or any other package that uses IE to display mail. Since e-mail viruses are spreading even more quickly these days than ever before, this is a gigantic problem. The flaw can also be exploited if a user of a vulnerable machine visits a malicious Web site, but this method of infection would not spread as quickly. Microsoft doesn’t say so, but the new problem appears to me to affect all recent versions of Outlook and Outlook Express, regardless of any previous security patches.
This is an ideal transmission method for zombie programs. This flaw allows a malicious person to run his or her own programs on the compromised machine. As a result, this weakness will soon be taken advantage of by those who want to install Trojan horses, zombies, and similar code on millions of personal computers to send spam, launch denial-of-service attacks, and so forth.
Windows Server 2003 is vulnerable because its “enhanced” security configuration can be turned off, leaving it open to this attack. It’s very likely that this configuration would be turned off, for example, to run Terminal Server and allow users to run IE to access it freely.