SAN FRANCISCO (10/15/2003) - The third time's the charm for Microsoft Corp. After two failed attempts, the software giant seems to have succeeded in patching a serious security flaw in Internet Explorer.
"We've tested it extensively, and it plugs the vulnerability that it's supposed to. In fact I'd be willing to give Microsoft kudos for their latest patch," says Rob Shively, CEO of the network security consultancy PivX Solutions LLC. Microsoft representatives declined to comment for this report.
Users are urged to apply the patch immediately, since it plugs a hole that could admit a Trojan horse capable of hijacking your browser and redirecting it to assorted sites. The free download is posted on Microsoft's security site.
Microsoft scrambled to provide a security fix for Explorer last week following reports that a Trojan horse dubbed Qhosts-1 was spreading. The ill-intentioned applet vandalizes PCs after climbing through a pop-up browser window.
It then overwrites the Hosts file in the Windows directory, stuffing it with several megabytes of IP address redirections that send your browser to the hackers' Web site when you try to access search sites such as Google or Yahoo. Some versions of the Trojan horse send your browser to porn sites.
If you're running Explorer without the patch installed, infection can occur very easily. All you have to do is visit a Web page that happens to be displaying the Trojan banner ad and its pop-up. You don't even have to press a key in order for Qhosts-1 to start overwriting your Hosts file. (I was on a physics Web site when the pop-up flashed, and afterward I couldn't return to Google.)
To restore a system after a Qhosts-1 attack, simply delete the Hosts file. It's normally empty.
The security hole in Explorer permits pop-ups to run ActiveX scripts in areas of a PC that Explorer's security settings supposedly put off-limits to ActiveX, and it does so without any user input. The security threat is not only grave, it's easy for hackers to exploit. Microsoft has known about the hole since last summer and has provided three patches to plug it. The first two patches didn't work.
Still at Risk?
"Some low-risk vulnerability" remains, Shively says, but users who install the patch are fairly safe from malicious browser pop-ups.
Other observers recommend vigilance even after installing the patch. "Whenever you click 'Yes' in a pop-up box, you give the sending program permission to do whatever it wants to do on your PC," warns Craig Schmugar, a virus researcher at antivirus vendor Network Associates Inc.
Web sites that ask whether you'd like to make their site your default Web searcher or home site come to mind, but so do Web sites where dishonorable intentions might lurk beneath an innocuous question. What about those pop-up ads that tease you to play their golf and hockey games? Are you jeopardizing your PC by merely clicking on the hockey puck? Could a game be a cloak for nasty ActiveX code?
"There's absolutely no reason to believe that couldn't happen," says Andy Cianciotto, program manager for the security response team at antivirus software maker Symantec Corp. "In fact, it happens quite frequently that games are covers for Trojan horses."
Your Best Defense
Though running antivirus software is your best defense, even Symantec's Cianciotto says that such programs are not always good at detecting Trojan horses such as Qhosts-1.
"Trojan horses aren't self-replicating like viruses, and something that doesn't spread by itself is unlikely to be spotted by antivirus software," Cianciotto says. "A personal firewall will spot a Trojan horse, though."
(My Linux network firewall did not detect the Qhosts-1 invasion. My antivirus software was deactivated.)
Another line of defense involves raising the security settings in Explorer to deactivate Active-X. To do this:
- In the Tools menu, select Internet Options.
- Click the Security tab, and highlight the Internet globe icon.
- At the bottom of the box, click Custom Level.
- In the Security Settings box, use the scroll bar to select the High setting; then click OK.
The drawback of disarming ActiveX is that you may have trouble accessing some Web sites. In addition, pop-up boxes warning you of the inaccessibility of ActiveX content may drive you crazy.
One further warning: Network Associates' Schmugar recommends reading on-screen user agreements carefully before agreeing to download ActiveX controls or other software.
"If you go to a Web site that's going to install software on your PC, read through the whole license agreement before you install anything," Schmugar says. He says that Network Associates receives frequent reports of seemingly innocuous software bearing hidden agendas.