Faulty Patch Leaves IE Open to Attack
By Dennis Fisher
October 2, 2003

An incomplete patch has opened the door to the widespread exploitation of a vulnerability in Internet Explorer, and security experts say that there are at least four different methods being used by attackers to compromise vulnerable PCs.

Most recently, experts identified a new Trojan, known as Qhost-1, that has been discovered on a number of machines. However, the intent and possible uses of the program are somewhat unclear at this point. Qhost appears to change some of the DNS settings on infected machines and adds a couple of entries to the registry, but doesn't seem to take any other immediate actions.

What is clear, however, is that the patch issued by Microsoft Corp. in August to fix a pair of flaws in IE does not completely solve the problem.

There's been a lot of confusion about the patch. It only addresses part of the issue within the vulnerability so it's open to other attacks, said Ken Dunham, malicious code intelligence manager at iDefense Inc., based in Reston, Va. There's no protection against it. This is a massive problem.

The vulnerability itself is related to the way that IE handles HTML application files embedded in object tags. In order to exploit the weakness, an attacker would need only to entice a user to open a malicious e-mail or visit a Web site, where a Trojan or other malicious code could be automatically installed on the user's PC.

Of the three ways that a problematic HTML page needed to exploit this vulnerability can be created, the patch only prevents one from working, according to officials at the CERT Coordination Center in Pittsburgh. Several workarounds have been suggested, including disabling ActiveX controls in IE. Although, there are some reports that even this is not completely effective.

A fully patched IE system is vulnerable to this, said Art Manion, Internet security analyst at CERT. Manion said that editing the registry to delete a key related to the problem seems to be the most effective method of preventing exploitation, he said. The key that needs to be renamed or deleted is: HKEY_LOCAL_MACHINESOFTWAREClassesMIMEDatabaseContent Typeapplication/hta.

In addition to the Qhost Trojan, Manion has seen another Trojan that exploits this vulnerability to steal users' AOL Instant Messenger passwords. There is also an exploit that installs a dialing program that calls out to an overseas toll number, and a fourth tool that installs an old back door program.

IE is the only browser vulnerable to this specific exploit, so users could also avoid infection by switching to an alternate browser, such as Netscape Navigator or Opera.

If we don't see a [revised] patch come out soon, you'll definitely see people migrating to alternate browser, said Dunham. If you're not worried, you should be.

eWeek