Microsoft Patches Failed To Fix Dangerous Security Flaw
Dangerous Security Flaw Microsoft Patches Failed To Fix
Microsoft Corp.'s latest round of software patches fails to fix a flaw
in its Internet Explorer Web browser that makes it easier for online
criminals to dupe people into disclosing their credit card numbers,
passwords and other private data.
Security experts were hoping that the patches, which were released
today, would address the problem, but a Microsoft official said that
the company is still devising a fix.
The flaw lets criminals control the information displayed in the
address bar of Explorer's browser window. It was most recently used to
trick people into visiting a forged version of the Citibank Web site.
Once there, users were prompted to share personal identification and
credit card account numbers. Citibank today warned people to steer
clear of an e-mail that links to the fake site.
Security experts said that the flaw is easy to exploit.
"I could teach any grade school kid how to do it," said Ken Dunham,
malicious code manager for Reston, Va.-based security company
iDefense. "I'm very concerned for the Internet public at large because
this is one of the most dangerous trends we've seen emerge."
The scheme is gaining notoriety after criminals sent e-mails earlier
this month to customers of the PayPal online payment service and two
British financial institutions that linked to fake Web sites. Last
week, an e-mail scam tried to steal information from subscribers to
Earthlink, the nation's third-largest Internet service provider.
"From a consumer standpoint, this is probably the most severe security
flaw I'm aware of right now," said Johannes Ullrich, chief technology
officer for the SANS Institute's Internet Storm Center, which tracks
online attacks.
The false Web sites are the latest twist on "phishing scams," e-mails
that lure customers into divulging their personal and financial
information.
Roughly 5 percent of people who are actual customers of a company
targeted by the bogus e-mails fall for the scams, said David Jevans,
senior vice president at Tumbleweed Communications in Redwood City,
Calif. Jevans also serves as chairman of the Anti-Phishing Working
Group, a group of banks and e-mail security companies that fight
phishing schemes.
"This is a highly profitable venture for people because there is 10
times more money to be made in phishing scams than through regular
spamming," Jevans said.
Experts called the Citibank ruse one of the most convincing. It began
with a Web-based e-mail bearing the bank's trademark design, colors
and logo. The message said that the company had suffered some problems
with its data storage due to fraud activity, and urged customers to
check their account balances.
"Citibank notifies all it's [sic] customers in cases of high fraud or
criminal activity and asks you to check your account's balances. If
you suspect or have found any fraud activity on your account please
let us know by logging in at the link below," it said.
Security experts said that by failing to issue a patch to fix the
problem, Microsoft is ignoring a serious problem.
"I see this trick being used in the wild almost daily now, and they
definitely need to do something about it," said Ullrich.
Vincent Weafer, senior director of anti-virus company Symantec
Security Response, said that the vulnerability also can be used to
spread "backdoor Trojans," programs that allow hackers to control a
victim's computer.
Several viruses have used clever e-mails to fool consumers into
downloading Trojans disguised as critical security updates from
Microsoft. Using the Explorer flaw could trick users into believing
they are visiting Microsoft.com while they are downloading a Trojan
from a bogus site instead, Weafer said.
"This vulnerability has all the ingredients needed for the propagation
of malicious code, and I absolutely believe it will eventually be used
for that purpose."
A Microsoft spokesman said the company is working deliberately on
developing a patch to make sure it does not disable other features in
the Windows operating system or prevent users from visiting legitimate
Web sites.
"An incomplete patch can almost be worse than no patch at all," said
Stephen Toulouse, security program manager with the Microsoft Security
Response Center.
Today's batch of security updates is the third Microsoft has released
since it announced that it would issue them on a monthly basis.
Microsoft chief executive Steve Ballmer announced the change in early
October following criticism that the company is not doing enough to
protect Windows users. Microsoft said it made the changes to help ease
the burden on system administrators by making its patching process
more predictable.
The three patches Microsoft released today involve programs and
vulnerabilities commonly found in corporate networks, not home user
systems. One vulnerable component, however, a Web database management
program known as "Microsoft Data Access Components" is shipped with
nearly all versions of Windows. Users can check which updates they
need to download at this Windows Update site.
For a safe demonstration of the Microsoft IE vulnerability, click here
(this will only work for Internet Explorer users).
For information on how to protect yourself against phishing scams in
general, check out the Federal Trade Commission.
