Microsoft Expands Zero-Day IE Warning

IE patches

Did Microsoft miss a vulnerability in its latest Internet Explorer (IE) patch roundup — or several?

Late Thursday, Microsoft updated its advisory on a zero-day vulnerability affecting its IE 7 Web browser. The updated advisory now indicates that older and newer versions of IE are also at risk from the XML zero-day flaw.

As a result, the company is now warning that IE 5.01 Service Pack 4, IE 6 and IE 6 SP1, and Windows Internet Explorer 8 Beta 2 are all potentially at risk.

The flaw stems from an issue in how Internet Explorer parses XML. Microsoft reported the vulnerability a day after issuing its December Patch Tuesday update, which contained four different fixes for versions of IE.

As of late Thursday, there were no reported public sightings of the XML flaw in action on browsers other than IE 7, according to the security watchdogs at SANS Internet Storm Center (ISC).

“I don’t want to start a panic,” ISC handler Kevin Liston wrote in a post on ISC’s site. “We have not received any reports of attacks affecting these versions (yet.)”

Signs point to new attacks

The same, however, can’t be said for attacks based on IE7. Johannes Ullrich, another handler at ISC, reported on the group’s site an SQL injection attack spreading by using the browser’s vulnerability.

Microsoft itself is reporting attacks in the wild and is providing some direction as to which countries have been affected the most so far. According to Microsoft’s Microsoft Malware Protection Center blog, as of late Thursday, 64 percent of reported infections were coming from the U.S., 7 percent from China, 7 percent from Canada and 5 percent from Japan.

“The exploit sites we’ve seen so far drop a wide variety of malware,” Microsoft said. “Most commonly password stealers, like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; trojan horse applications like Win32/Helpudalong with some previously unseen malware, which we generically detect as Win32/SystemHijack.”

Microsoft also said that the Web sites that have been taking advantage of the zero-day flaw are primarily being hosted on Chinese domains. The most prevalent web page names that have are using the vulnerability, according to Microsoft, are: 7.htm, I7.htm, ie07.htm, msxml.htm, and ss.htm.

Microsoft has not yet indicated whether it would issue a patch for the current zero-day XML flaw. The company has noted in its public advisory however that it would will take “appropriate action” when an investigation is complete — action that could include an out-of-cycle patch.

In addition to its investigation, Microsoft is also now providing additional guidance to users on workarounds that could mitigate the risk from the vulnerability.

“Specifically, we’re recommending both setting the Internet zone security setting to ‘High’ and using [Access Control Lists] to disable Ole32db.dll,” Christopher Budd, a member of the company’s security response team, wrote on the Microsoft Security Response Center blog. “Our research so far has shown that these two steps together provide the most effective protections for this issue.”

News Around the Web