Microsoft Releases Fix for IE Phishing Exploit
2nd July, 2004
The update disables an ActiveX control known as adodb.stream, which will prevent the Download.Ject attack. The malicious code was being downloaded from the infected IIS servers onto users' machines, and included a trojan that records keystrokes in an attempt to capture eBay and Paypal passwords. The Russian server distributing the attack code was shut down on June 24, four days after the first reports of the exploit, but security professionals predict that copycats are likely to try and replicate the attack.
The configuration change is currently available on Microsoft’s Download Center and will be made available later today on Windows Update.
US-CERT notes that the configuration change is a workaround for the IE security hole, rather than a cure. "Disabling the ADODB.Stream control does not directly address any cross-domain vulnerabilities, nor does it prevent attacks," the agency noted in an update. "This workaround prevents a well-known and widely used technique for writing arbitrary data to disk after a cross-domain vulnerability has been exploited. There may be other ways for an attacker to write arbitrary data or execute commands."
Microsoft says the server exploit affected machines running Windows 2000 and IIS 5.0 server that were not fully patched against a bevy of security holes detailed in April, known collectively as MS04-011. The initial version of the patch included bugs that crashed Win2K systems. Microsoft is referring system admins to a knowledgebase article detaling the workarounds and fixes available for affected Win2K machines.