NTA Monitor

Latest News

60% of UK website tests revealed Internet encryption and cross-site scripting vulnerabilities

10th April 2008 60% of web application tests performed for UK organisations showed that their websites contain weak encryption or cross-site scripting (XSS) vulnerabilities Read More

Demilitarised Zone most secure option for BlackBerry device

28th February 2008 Recent BlackBerry testing by IT security consultancy, NTA Monitor, has revealed that organisations are still not configuring these mobile devices correctly Read More

Retailers should put security top of their Christmas list

13th November 2007 With British consumers spending more than £6.6 billion online in the last two months of last year, the 2007 festive season is set to be one of great cheer for online retailers Read More

Businesses warned not to have skeletons in cupboards

13th November 2007 For many organisations, the festive season is an opportunity to heave a corporate sigh of relief and enjoy the brief respite in frenetic business activity as countless people all over the world, go home to celebrate Christmas Read More

Date: 30th August 2004
Risk: Medium

Microsoft have released seven new patches this month. There's some help for IE users worried about last month's Download.Ject security scare, but you are going to have to wait for a comprehensive fix.

Two of the fixes - involving flaws with Windows Task Task Scheduler (MS04-022) and the HTML help function used by Internet Explorer (MS04-023) - are deemed to be critical. Either of these flaws could be used to take control of vulnerable systems, Microsoft warns.

Redmond also released a patch MS04-021 for a less serious flaw involving older versions of its Internet Information Services Web server software (IIS 4.0). This and fixes for flaws involving the user interface (or shell) on Microsoft Windows (MS04-024), Microsoft Windows Utility Manager (MS04-019) and POSIX Subsystem of Microsoft Windows ( MS04-020) are described by Microsoft as important. Finally there's an update designed to fix a moderate vulnerability with Outlook Express (MS04-018).

Separately Microsoft released a tool to clean up machines infected during last month's Download.Ject security flap. Users visiting a web site contaminated with Download.Ject activated a script that downloaded a Trojan horse (called Berbew) from a web site in Russia. This web site was rapidly taken down, but the underlying vulnerability in Internet Explorer used in the Download.Ject attack remains unpatched, despite a workaround from Microsoft designed to limit the scope for mischief.

Redmond released these configuration changes earlier in July and recently followed up with a tool to remove variants of the Berbew Trojan from infected systems. Berbew (AKA Webber or Padodor) is capable of extracting passwords and login details from victims and forwarding this confidential data to crackers.

The risk posed by future Download.Ject-style attacks prompted security clearing house US-CERT to advise users to ditch IE, a call repeated by security experts.

Thomas Kristensen, CTO at security firm Secunia, explained "There are a variety of vulnerabilities with Internet Explorer that have been around for a while and are been actively exploited. Several are unpatched. We recommend our customers use another browser for general web surfing and to limit their use of IE to trusted web sites where its functionality is required, such as banking web sites."

References

http://www.Microsoft.com http://www.Microsoft.com/technet