Microsoft today released a patch for the latest Internet Explorer (IE)
browser vulnerability that has been in the news since last week.
However, malware authors have already begun pushing out customized
variants of the flaw that the Microsoft patch may not address.
The vulnerability, rooted in IE’s XML parser, lets attackers execute code on their victims’ PCs.
By Saturday, at least 6,000 Web sites had been infected and the number is growing though ascertaining the exact number is difficult. However, security
experts say things will get much worse, even if users follow Microsoft’s
(NASDAQ: MSFT) advice to install the patch immediately.
Currently attacks have only targeted IE 7, Christopher Budd, security
response communications lead at Microsoft, said in a statement. They have
not been successful against systems where the patch has been applied,
according to Budd.
Microsoft is hosting two Webcasts to address customer questions about the
security bulletin. The first was set for 1 p.m. PDT today and 11 a.m. PDT tomorrow in the U.S. and Canada. The Webcast will be available on demand after that.
According to researcher Rahul Mohandas on the McAfee (NYSE: MFE) Avert Labs blog, malware authors have already begun
issuing customized version of the IE exploit with various degrees of
stealth.
Come read this
One of the most prominent techniques is where the attacker sends victims
a Microsoft Word document by e-mail that contains an embedded ActiveX control triggered when the document is opened. This exploit was listed as one of the SysAdmin, Audit,
Network, Security (SANS) Institute’s top 20 security risks in 2007.
Victims of the latest exploit are hit by drive-by injection attacks,
where they go to a compromised Web site that automatically downloads
malicious code onto their Web site.
Malware authors have come up with a new twist on this, Dave Marcus,
security research and communications director at McAfee Labs, told
InternetNews.com. They plant an IFrame onto a legitimate site and the
IFrame redirects unsuspecting visitors to the site hosting the malicious
code.
An IFrame is an HTML element that lets users embed an HTML document
inside another HTML document. The CBS (NYSE: CBS) TV network site was hit by
an IFrame attack on November 11 that saw visitors redirected to a server in
Russia, according to security company Finjan’s MCRC blog on November 27.
“We’ve seen an awful lot of sites that have been compromised with the
IFrame on them,” Marcus said. “It’s a very Web 2.0 way of spreading
malware.”
Next page: Attacks expected to grow
Page 2 of 2
Attacks on the browser are expected to increase, with the browser
increasingly being considered an application platform, security experts say. Mozilla’s Firefox, for example, was ranked as the most
vulnerable application by whitelisting vendor Bit9, although Mozilla has since issued a set of ten patches to its Firefox browser.
Experts disagree on how to prevent attacks on browsers in the
future.
Microsoft should strip down IE to only the features users need, Wolfgang
Kandek, chief technology officer at Qualys, told InternetNews.com.
“Why does that browser, which is tightly integrated into Windows, have a
very powerful library when users only need a subset of those
functionalities?” he asked. “When a library offers way too many features,
that opens the door for exploits.”
It’s all about Web 2.0
But McAfee’s Marcus said stripping down IE is not the answer. “Users expect
rich dynamic content in this day and age – streaming audio and video – and
the browser simply reflects what they’re looking for,” he said. “You can’t
stop car theft or bank robberies, you manage the risk and you have to manage
the risk of browser attacks in the same way, with layers of defense, knowing
exactly what the risks of your assets are and defending them properly.”
Marcus said it is difficult to pin down the exact number of infected
sites because malware authors are using IFrame attacks.
The situation will only get worse over the next few weeks, Derek Manky,
Fortinet’s project manager, cyber security and threat research, told
InternetNews.com.
“In October Microsoft issued an out of band patch for a vulnerability in the server service that was very high profile, but that flaw is still being exploited,” he explained. For two to three weeks after
that patch was issued malware activity was low, and now the activity has
increased, Manky said.
“I expect to see the same with this IE exploit,” Manky said. “In other
words, the worst is yet to come.”
