Its a good time now, in the midst of a “zero-day” attack, to consider the meaning of severity ratings for vulnerabilities.
The current Internet Explorer attack is a bad one of course, but just as was the case in the midst of the Windows Meta File vulnerability crisis four months ago, the actual severity is easy to overstate.
Both of these attacks require, as security people put it, “user intervention.” In other words, you have to go visit a Web page in order to be attacked. If you dont visit an attack page, you wont get attacked.
Personally I think of it as being like having a high-crime area in town. If I dont go there, I wont get mugged there. Its not entirely that simple, but theres a lot of truth to it. In fact, this is even safer than that, because I can get mugged in the “good” part of town, but if I only visit trusted, respectable Web sites Im not vulnerable to this attack.
And, of course, if I feel the urge to go surf untrusted Web sites I can use Firefox. I basically use both browsers all the time.
Why not just use Firefox all the time? Apart from the fact that it is possible (if extremely unlikely for practical purposes) to be attacked through Firefox, it crashes on me periodically, especially during printing. IE is actually much more stable for me. And I just consider it part of my job to use both browsers.
As researchers are reporting widely, the number of Web sites that are serving this attack is in the hundreds and growing. I actually have a recent list of them, and the large majority are the sorts of sites I wouldnt knowingly visit, at least not in front of others.
So it was with the WMF exploit. There are some respectable business sites on my list too, and Ive seen reports that respectable sites are getting hacked to insert the attack. I havent actually found the attack on any of these sites; perhaps theyve been cleaned up already.
The WMF exploit also generated a lot of angst. The end of the world as we know it (TEOTWAWKI) didnt happen, but its in the nature of these attacks that you cant really know how serious they actually were. In fact, just the other day iDefense reported that it has found a million-strong, heretofore unknown botnet that infects, among other ways, through the WMF exploit. I doubt iDefense can say how many attacks took place through WMF as opposed to some other vehicle.
I have a theory about how the WMF attack spread, to the extent that it did, and how this IE attack will spread: Most of the users who were compromised by the WMF bug already had adware on their systems and were hit by the WMF bug when the adware served them an advertising page that exploited the bug.
The IE bug, the createTextRange bug, can and will work in the same way. There are unscrupulous ad networks out there that function more for the distribution of malware and the creation of botnets than for serving the ads themselves.
I have another theory that is about as unprovable, but I believe theres a lot of truth to it: The people getting hit with these attacks are the same people, over and over again.
Most of the compromised systems have been compromised by many other attacks from malware the users stupidly ran or vulnerabilities they didnt patch. A corollary of this is that iDefenses million-system botnet probably overlaps substantially with other botnets, because systems in it are running multiple bots.
But the really critical vulnerabilities, the ones that innocent, even scrupulous users can fall victim to, are network worms like the LSASS and DCOM-RPC bugs that led to the Sasser and Blaster worms. We havent had anything like them since the LSASS bug, almost two years ago.
So take the createTextRange vulnerability seriously. You may want to be more careful on the Web until you have a patch. But dont sweat it too much; this isnt one of the really big ones.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at firstname.lastname@example.org.