'Critical' megapatch sews up 10 holes in IE

update Microsoft on Tuesday released a "critical" Internet Explorer update that fixes 10 vulnerabilities in the Web browser, including a high-profile bug that is already being used in cyberattacks.

The Redmond, Wash., software giant sent out the IE megafix as part of its monthly Patch Tuesday cycle of bulletins. In addition, Microsoft delivered two bulletins for "critical" Windows flaws, one for an "important" vulnerability in Outlook Express and one for a "moderate" bug in a component of FrontPage and SharePoint.

"This patch release is a big one with lots of aftershocks," said Jonathan Bitle, a product manager at security company Qualys. "Three of the five updates, the IE and Windows updates, are especially critical as they take advantage of inexperienced users...Although a worm epidemic is unlikely, users can be easily enticed to visit malicious Web pages."

Eight of the 10 vulnerabilities repaired by the IE update could be abused to gain complete control over a Windows computer running vulnerable versions of the Web browser. In all instances, an attacker would have to create a malicious Web site and trick people into visiting that site to hook into a PC, Microsoft said in its Security Bulletin MS06-013.

Microsoft rates its browser update "critical" for IE 5 and IE 6, the most-used versions of the popular software. IE is vulnerable on all current versions of the Windows operating system--Windows 2000, Windows XP and Windows Server 2003--as well as on the older Windows 98 and Windows Millennium Edition, the company said.

"An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system," Microsoft said in its alert. "We recommend that customers apply the update immediately." Windows users who have automatic updates enabled for the operating system will have the fixes delivered to them.

Microsoft had been under pressure to rush the IE patch out before Tuesday because miscreants were already exploiting one of the flaws. Third parties had even provided temporary fixes for this "CreateTextRange" bug, which experts said was being used by malicious Web sites to try to drop code such as spyware on vulnerable PCs.

According to Microsoft's bulletin, three of the 10 vulnerabilities fixed by the update had been publicly disclosed. Only the CreateTextRange flaw was being exploited in attacks, the software maker said.

But Symantec has information that three of the flaws were already being exploited in attacks prior to Microsoft's patch release. More attacks are likely to follow, Oliver Friedrichs, a director at Symantec Security Response, said in a statement. "According to the latest Symantec Internet Security Threat Report, the average time between the release of a security patch and the development of an exploit is six days," he said.

Holes in Windows
In a double-whammy for Windows users, all versions of the operating system vulnerable to the IE problems are also affected by two other "critical" flaws, Microsoft said. These holes could also allow an intruder to commandeer a PC. One is related to a specific ActiveX control, a kind of Web program, (MS06-014), and the other deals with a bug in Windows Explorer (MS06-015).

In these cases also, an intruder would have to build a special Web page to take advantage of the security hole. Some of the vulnerabilities in Windows and IE could also be exploited using an HTML e-mail, which essentially is a Web page sent in an e-mail message.

Users of Outlook Express face an additional security risk, in that the e-mail application is flawed in the way it handles Windows Address Book files. Opening a specially crafted WAB file can result in execution of malicious code, giving an attacker control of the Windows PC, Microsoft said in Security Bulletin MS06-016.

The Windows bugs as well as the Outlook Express flaw were reported privately to Microsoft and have not been used in any attacks, the company said.

The last of the five security alerts issued by Microsoft, MS06-017, affects the lowest number of users and is deemed a "moderate" risk. The cross-site scripting flaw in FrontPage Web site building software and SharePoint collaboration software could lead to a system compromise, the company said.

Eolas tweaks
The IE update, in addition to security fixes, makes a change to the way IE handles ActiveX controls. These tweaks are a response to a long-running patent dispute between Microsoft and Eolas Technologies, a start-up backed by the University of California. The changes can affect how certain sites display in the browser.

People who need more time to adjust to the ActiveX changes can download a special patch that will disable them for two months. This "compatibility patch" is specifically designed for businesses that may have homegrown applications that use ActiveX, Microsoft has said.

By Joris Evers
Staff Writer, CNET News.com

Published: April 11, 2006, 1:19 PM PDT

Last modified: April 11, 2006, 1:57 PM PDT

Internet Agency Weighs New Domain Name

NEW YORK - Reaching out and touching someone used to be as simple as dialing a string of numbers. But now there are home, cell and work phone numbers from which to choose, and sometimes work extensions to remember.

There are also e-mail addresses — at home and at work — and instant messaging handles, perhaps separate ones for the various services, some of which now do voice and video besides text. Some people even have Web pages — through their employer or Internet service provider, or perhaps a profile or two on MySpace.

To help people manage all their contact information online, the Internet's key oversight agency is considering a ".tel" domain name. If approved, the domain could be available this year.

As proposed, individuals could use a ".tel" Web site to provide the latest contact information and perhaps even let friends initiate a call or send a text message directly from the site. Businesses could use a ".tel" site to determine customers' locations and route them automatically to the correct call center.

Its proponents also envision ".tel" as a place from which the various people-finding services on the Internet could pull the latest contact information as individuals move about. Now, data typically come from third-party sources like phone listings, which may be old or incomplete, particularly if an entire household is listed under one name.

And telephony applications and devices yet to be built could one day make use of such data, especially as wireless and wireline networks converge, according to London-based Telnic Ltd., which proposed and would run the domain if it is approved.

There's nothing inherent in ".tel" that would enable these features; rather, its aim is to create a place to which people would know to go to find contact information.

Todd Masonis, a co-founder of contact management service Plaxo Inc., is familiar with the hassles of keeping track of everyone.

His parents have had the same house and phone number for some 30 years, and "for a long time that was how they are identified," Masonis said. "But in the last two years, even they have had a couple of cell phones, a couple of e-mail addresses and Web pages and instant message IDs."

Still, he questions the need for ".tel" when companies like his already use ".com" to host services that help manage contacts. He worries that a ".tel" name would create yet another identifier for people to remember, without doing away with the others.

The board of the Internet Corporation for Assigned Names and Numbers plans to review the proposal Tuesday, although it may wait until next month or later to decide.

Telnic officials likened ".tel" to the creation of domain names decades ago as an easier-to-remember alternative to the series of numbers behind every Internet-connected computer. Instead of memorizing a friend's phone numbers, they say, just remember the ".tel" address.

But Telnic was vague on how all this would work, saying it is merely enabling developers to come up with innovative ways to use ".tel."

Nor did the company say in its application how much a ".tel" name would cost. A spokesman said Friday that officials were unavailable because of the Easter holiday.

ICANN sought bids in 2004 for new domain names. John Jeffrey, ICANN's general counsel, said the other ".tel" applicant had failed to correct deficiencies identified by an independent review panel. But that applicant, Internet telephony pioneer Jeff Pulver, blamed politics for the rejection.

European Union, ".jobs" for human-resources sites, ".travel" for the travel industry, ".mobi" targeting mobile services and ".cat" for the Catalan language, bringing the number of domains to 264.

The organization also is in negotiations to create ".xxx" for porn sites, ".asia" for the Asia-Pacific community and ".post" for postal services.

The few who submitted comments to ICANN on ".tel" were skeptical.

Francisco Cabanas, owner of Canadian domain registration company FineE.com, said an organization like The Associated Press could simply create an address at "tel.ap.org," rather than require an "ap.tel."

Otherwise, who would get the ".tel" name? The AP? Internet service provider AccessPort, which uses "ap.net"? Or Audio Precision Inc., at "ap.com"?

"It kind of magnifies the problem," Cabanas said. "If I'm looking for a phone number or an e-mail address or whatever and I'm getting a totally different (company), it defeats the purpose."

Also unclear is what the demand would be like, giving the popularity of ".com."

The seven domains approved in 2000 — including ".aero," ".museum," and ".info" — "just never have caught on," said Dan Tobias, a Boca Raton, Fla., computer programmer who runs a site on domain names. "Nobody's figured out how to educate the public enough to seek out a different ... domain."

Written By ANICK JESDANUN, AP Internet Writer