Microsoft Releases Update for Browser
Internet Explorer Fix Helps Protect Passwords but Doesn't End Vulnerability
By Mike Musgrove
Washington Post Staff Writer
Saturday, July 3, 2004; Page E01
Microsoft Corp. released a free software update yesterday to close vulnerabilities that left users of its Internet Explorer browser open to attacks by hackers.
The security breach, discovered last week, made it possible for users of Microsoft's ubiquitous Web browser to have their passwords and private account information stolen when they logged on to banking sites.
Microsoft's update turns off a function within the Windows operating system instead of repairing the flaw in that function.
Stephen Toulouse, security program manager in Microsoft's Security Response Center, said the company is working on a patch to fix that vulnerability.
Yesterday's update, available at www.microsoft.com/downloadject, turns off the "Adodb.stream" function, part of an Internet Explorer technology called ActiveX, which lets Web sites put files onto users' hard drives. (There is no such function in a version of Internet Explorer that Microsoft shipped for the Mac operating system; that and other non-Windows platforms have not been affected by this issue.)
Toulouse said corporate users of the Microsoft browser may lose some capabilities as a result of the temporary fix. But, he said, "if you're a consumer visiting Web sites, there should be little to no impact at all."
Computer safety sometimes works at odds with convenience or ease of use. While some security experts recommended using Internet Explorer with the browser's security setting switched to "high," that setting leaves many Web sites unreadable or unusable.
In the attacks last week, a virus was programmed to record users' keystrokes at any of 50 banking sites and relay that data to a site in Russia. It was hidden in files that were parked on hacked Web sites for users to download in their usual browsing. That plan was interrupted when Internet providers blocked traffic to the Russian site, but its ambition led some security advisers to recommend dumping Internet Explorer in favor of other browsers.
That too, can be a problem, however. The Web wasn't created for any one browser, but the dominance of Internet Explorer -- about 95 percent of the market, according WebSideStory Inc. -- has led some Web designers to build sites work well only in Explorer, or that even shut out other browsers.
Bill Leary, a software engineer in Hopkinton, Mass., has used the Opera browser for years, but sometimes must use IE to log into some banking or e-commerce sites -- the exact category targeted in the recent hacking campaign.
"This drives me nuts, because I want to use something that I know is safer," he said. "It's the sites I most don't want to use it for that I most have to."
It's too early to tell if Microsoft's latest security problems will reduce its share of the browser market.
Chris Hofmann, engineering director at the Mozilla Foundation, a group developing a family of Web browsers, e-mail programs and other Internet software, said downloads of its latest browser, Mozilla Firefox, doubled this week to about 200,000 a day. Hofmann said the organization sees a spike in downloads whenever a virus or worm exploits Windows vulnerabilities.
Security-software developers report increased sales. NPD Group Inc., a market-research firm, reported that half of the top 10 selling software titles in the third week of June (the latest period for which it has data) were security products.
Cleveland Park resident Susanna Beiser went to her local Best Buy early this week to pick up a copy of McAfee Inc.'s firewall software, an application designed to control the data going to and from a personal computer, after reading recent reports about Internet-related threats.
"In the past, I thought I was okay if I just scanned for viruses," she said, "but these new kinds of attacks seemed like they required more protection."
Beiser said she was amazed at the number of intrusion attempts her new software has detected so far, with break-in efforts coming from as far away as Italy and Hong Kong.
Though new viruses and attacks may be fueling these new sales, a report from Cupertino, Calif., security developer Symantec Corp. yesterday showed how long older viruses can stay in circulation -- and therefore, how many users have yet to patch their computers.
Symantec found that its corporate customers are still being hit with viruses and worms such as Slammer, Blaster and Code Red -- the oldest of which first appeared in July 2001.
"We're surprised to see them still out there," said Oliver Friedrichs, senior manager at Symantec Security Response. "There are enough new unpatched systems being added to the Internet to keep these things alive."
And enough new threats to keep computer security professionals like Friedrichs busy: Computer security firm McAfee yesterday began alerting its users about a new virus called Lovgate. Then again, it wasn't quite new; yesterday's debut was the 30th mutation of this bug.
© 2004 The Washington Post Company