Feeds

Patches released for zero-day IE threat

Third parties to the rescue

The Essential Guide to IT Transformation

Hundreds of malicious websites are attempting to exploit the most critical of two flaws announced last week in Microsoft's browser, convincing two companies to release workarounds late Monday to head off the threat.

Security firms Determina and eEye Digital Security each created a standalone patch to protect Windows systems that use Internet Explorer to browse the web. The vulnerability, the most critical of three announced in the last week, is reportedly being actively exploited by more than 200 malicious web sites.

"Obviously, these things (fixes) are experimental in nature but considering the options of being vulnerable or at least having a fighting chance - well, I think you get the point," eEye chief hacking officer Marc Maiffret said in a statement announcing that company's fix. "Again, this is just another mitigation option until Microsoft releases their patch, which last was scheduled for 11 April."

The third-party patches are the latest fixes to be released by companies other than Microsoft, when the software giant's response is perceived to leave customers at risk. In January, an independent software programmer released a patch for a critical flaw in the Windows Meta File (WMF) format that also affected users of Internet Explorer. The companies, and the researcher that released the WMF patch, do not refer to the fixes as permanent solutions but temporary workarounds.

Last week, Microsoft confirmed reports of the latest vulnerability in Internet Explorer. The flaw occurs in the way that the software giant's browser handles certain HTML objects with Internet Explorer's CreateTextRange function. The flaw affects Internet Explorer 6.0 and 5.01.

"So far we’re still seeing only limited attacks," Microsoft security program manager Stephen Toulouse said in a blog post. "But our anti-malware team, as always, is on the case and has uploaded removal information for the attacks to date to Windows Live Safety Center."

A Microsoft representative was not immediately available to comment on the release of the third-party patches.

Another flaw disclosed last week affects Internet Explorer's processing of HTML applications, also known as HTAs. While the researcher that found the flaw created proof-of-concept code to exploit the issue, no publicly available code is known to exist. Earlier in March, a third researcher found a way to use Internet Explorer's Java applet functions to cause a denial-of-service attack.

The most critical vulnerability of the three is the CreateTextRange issue, said Dan Hubbard, senior director of research for security firm Websense. The company, which scans 80m web addresses every 24 hours in search of exploits, found 200 URLs that attempted to exploit the CreateTextRange issue. The web pages reside on compromised servers and have likely been created by a single person or a small group, he said.

"The code semantics for the websites are almost completely the same. There are a few variants which change the location from where they are downloading the payload. Basically, there are three different versions of the exact same thing."

The pages use the flaw to install a download Trojan horse program that fetches another piece of software to scan a victim's machine and grab sensitive data. The programs also log keystrokes, Hubbard said.

The threat has largely diminished since the weekend, according to the Internet Storm Centre, the incident response arm of the SANS Institute.

"Right now, there is not that much of a threat," SANS Institute chief research officer Johannes Ullrich said. "Most of the sites are down right now, and the payload is removed from the websites from which it was being downloaded."

Microsoft advised users to turn off Active Scripting if they do not need the functionality. The problem is the latest issue caused by the support for ActiveX, a programming language supported by Internet Explorer to add interactive functions to websites. The problems have occasionally resulted in calls for users to switch to alternative browsers, such as Mozilla's Firefox, which does not support the Active Scripting function.

However, some users may not be technical enough to understand how disable Active Scripting or require the functionality, Determina and eEye said in their advisories.

"The workaround does not fully address the problem," Determina director of security research Charles Renert said. "Workarounds turn off functionality...In one way, it's like saying you could always turn off your computer, and you wouldn't be affected, but that is not a good solution in terms of business continuity."

For users that need Active Scripting functionality, the third-party patches are the only option, the SANS Institute's Ullrich said.

"As long as Microsoft has not developed a patch to protect people, third parties will produce patches," he said. "There are a couple cases where you have to use Internet Explorer with Active Scripting enabled, and in those cases, these (patches) are really the only option."

Microsoft has not announced when it plans to release a patch for Internet Explorer. The software giant patched the WMF flaw in eight days, its fastest turnaround time to fix a flaw in Internet Explorer. The company's next scheduled patch date is Tuesday, 11 April.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.