IE Attacks Circulate as Microsoft Updates Advisory

In the face of ongoing attacks, Microsoft updates its security advisory for an Internet Explorer vulnerability a day after a security researcher published exploit code for the vulnerability on the Internet.

Ongoing attacks targeting a new zero-day bug in Internet Explorer and the presence of exploit code on the Web prompted Microsoft March 12 to update its advisory.

According to Microsoft, the IE vulnerability in question is due to an invalid pointer reference being used within IE. It is only known to affect IE 6 and 7. To address the issue, the company has made a handful of workarounds available and updated the advisory today to add a Microsoft Fix It that automates a workaround for Windows XP and Windows Server 2003 users.

Other workarounds include reconfiguring Internet Zone settings to High and modifying the access control list on iepeers.dll. Instructions for how to do both things are contained within the Microsoft advisory.

Since Microsoft published the advisory March 9, exploit code for the IE flaw has gone public, triggering some concern that there will be a rise in attacks in the days ahead as users wait for a patch.

"Observed attacks against this vulnerability continue to be limited and targeted; however, with the recent release of publicly available exploit code Symantec expects this vulnerability, like most other recent browser and plug-in vulnerabilities, to be added to attack kits and ongoing criminal campaigns in the near future," said Ben Greenbaum, security intelligence manager for Symantec Security Response.

Meanwhile, researchers at Sophos are tracking a spam campaign pushing out exploits for the IE vulnerability. According to Sophos, attackers were observed this week using malicious links in e-mails to lead users to malicious sites that unload the exploit onto their computers.

"Messages used at least two social engineering tricks to lure victims into clicking the malicious link: the tried and tested 'delivery failed, please confirm address details' messages [and a] request for details confirmation for [an] insurance quote," blogged Fraser Howard, principal researcher with SophosLabs.

Though his colleague Sophos Senior Security Advisor Chester Wisniewski said the spam campaign is relatively limited, he noted that there was a concern that the exploits will continue to get more refined as users await a patch. Already, he said, the exploit Howard blogged about included a downloader that can retrieve other malicious payloads to infect the user.

"What is more worrying is that this could be similar to the pattern we saw with threats like Conficker," Wisniewski said. "Initially there were a few zero-day exploits against MS08-067, but none were overly successful. This prompted MS to release out of band in Oct 08, yet Conficker didn't come out until November. The Conficker guys perfected the clumsy early attacks and refined them into a very nasty machine."

Jerry Bryant, senior security communications manager lead at Microsoft, blogged that the company is in the process of testing an update that addresses the issue. He did not say definitively whether Microsoft would issue an out-of-band update to patch the problem.

In the meantime, Howard suggested users "take a hint" and upgrade to IE 8, the most current version of the browser.

"Aside from not being affected [by] this particular [problem], there are a whole bundle of other security-related features you are missing out on otherwise," he blogged.