Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    IE Under Attack: Microsoft Ponders Emergency Patch

    By
    Ryan Naraine
    -
    March 24, 2006
    Share
    Facebook
    Twitter
    Linkedin

      Malicious hackers are using hijacked Web servers and compromised sites to launch a wave of zero-day attacks against an unpatched flaw in Microsofts Internet Explorer browser.

      The first wave of drive-by downloads was spotted on March 25, and security experts tracking the attack say the threat is growing at a rate of 10 new malicious URLs every hour.

      eWEEK has seen a list of more than 20 unique domains and 100 unique URLs hosting the exploits, which are dropping a variant of SDbot, a virulent family of backdoors that give hackers complete ownership of infected computers.

      SDbot allows attackers to control victims computers remotely by sending specific commands via IRC (Inter Relay Chat) channels. It has been used to seed botnets and plant keystroke loggers for use in identity theft attacks.

      The Microsoft Security Response Center has confirmed the attacks but insists they are “limited in scope.”

      “Heres what we know. The attacks are limited in scope for now and are being carried out by malicious Web sites exploiting a vulnerability in the method by which Internet Explorer handles HTML rendering,” said MSRC Program Manager Stephen Toulouse.

      “[Were] working day and night on development of a cumulative security update for Internet Explorer that addresses the vulnerability,” Toulouse said in a blog entry posted at 5:21 a.m. on March 25.

      He said the IE patch is “on schedule” to ship as part of next months Patch Tuesday, which will take place on April 11, but the company is not ruling out an emergency, out-of-cycle release if the threat escalates.

      “Well release it sooner if warranted,” Toulouse said.

      The attacks come less than 24 hours after Microsoft issued an advisory with interim workarounds for customers running IE on supported versions of Windows 2000, Windows XP and Windows Server 2003.

      According to Dan Hubbard, senior director of security and technology research at Websense Security Labs, his companys honeyclient crawler is capturing about 10 new malicious URLs every hour.

      /zimages/4/28571.gifA WMF exploit sold underground for $4,000. Click here to read more.

      “This looks very much like the WMF [Windows Metafile] attacks, [and] it appears to be just the beginning,” Hubbard said in an interview with eWEEK.

      Hubbard, who was the first to discover the WMF zero-day attacks in the wild last December, said there is evidence that the attackers are currently testing different types of exploits on hijacked Web sites.

      “Some of these attackers are the same people that were exploiting the WMF vulnerability. Theyre using the same Web sites,” Hubbard said. “This will continue to get worse over the weekend especially if they can figure out how to get the exploits to work efficiently.

      “One of the interesting things were seeing is that the shell code doesnt work on a lot of these sites. That suggests theyre testing the exploits and getting ready to do some major damage,” he added.

      In addition to SDbot variants, Hubbard said the sites are dumping spyware and keystroke loggers on machines without requiring any user action. “Simply surfing to these sites will hose your machine,” he warned.

      /zimages/4/28571.gifA proof-of-concept exploit code for a “highly critical” IE vulnerability hits the Web. Click here to read more.

      Although the attacks do not require any user action—simply surfing to a rigged site will trigger the exploit—researchers at Florida-based anti-spyware outfit Sunbelt Software said the WMF exploit, which used malicious images to execute the malware payload, was much more dangerous.

      “I dont want to spread undue panic. This is not like the WMF exploit, which had the cruel aspect of using a graphic file to execute a payload,” said Sunbelt President Alex Eckelberry. “This fact broadened the attack vectors to graphics embedded in e-mails, graphics being viewed through Google Desktop [and other applications].

      “This is not the same type of exploit. You still have to visit a specific page to get infected, [but] it does not affect e-mail and the like,” Eckelberry added.

      On the Websense blog, Hubbard has posted a screenshot of a golfing site that has been hijacked to serve up exploits. “The sheer percentage of sites that are compromised versus owned by the attacker is higher than usual,” Hubbard noted. In particular, he said several travel-related sites that are hosted on different networks.

      /zimages/4/84833.gifHow can SMBs walk the line between cost-effective solutions and reliable security protection? Join Ziff Davis Media eSeminars, HP and PC Connection on March 29 at 4 p.m. ET, and learn how to develop an effective and affordable security and business protection strategy.

      Roger Thompson, a security researcher attached to Atlanta-based Exploit Prevention Labs, expects to see more than 5,000 malicious sites over the next few days. “You can expect to see rootkits coming down the pipe within the next 24 hours,” Thompson said.

      Hubbard also suspects that a Web server exploit is being used in combination with the IE exploit to push the malicious code onto servers and then to clients. “In recent weeks we have also seen increases on our honeypots for several bulletin board programs, most notably PHPBB,” he added.

      In the absence of a patch, Microsoft recommends that IE users configure the browser to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

      In addition, IE users can set Internet and Local intranet security zone settings to “High” to prompt before Active Scripting in these zones.

      The company is preparing a comprehensive patch to correct the vulnerability, which is caused by an error in the processing of the “createTextRange()” method call applied on a radio button control.

      Editors Note: This story was updated to include additional information on the threat.

      /zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×