Feeds

Microsoft issues emergency IE patch as attacks escalate

Patch now

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Microsoft has issued a rare emergency update for its Internet Explorer browser as miscreants stepped up attacks targeting a vulnerability on hundreds of thousands of webpages.

In many cases, the websites distributing the toxic payload are legitimate destinations that have been commandeered, allowing an attacker to snare victims as they surf to online banks, forums, and other trusted sites. There are at least six distinct versions of attack code circulating in the wild, according to researchers at iDefense, a security lab owned by VeriSign.

A web search showed 233,000 pages containing the string ardoshanghai.com/s.js, just one of many web addresses exploiting a weakness in the way IE's data-binding function works. Most of the attacks silently install keylogging software as soon as a victim surfs to a site carrying the exploit. Once installed, the software steals login credentials for online games.

Attack strings in separate SQL injections include 17gamo.com/1.js. Researchers say the number of attack sites is too high to keep exhaustive lists, but Shadowserver is doing an admirable job here.

"The vulnerability is so juicy that we expect it to show up in tool kits fairly shortly," said Rick Howard, intelligence director of iDefense.

The patch was released eight days after reports began circulating that websites were targeting a vulnerability in fully patched versions of IE. This is only the second time in 18 months that Microsoft has issued an unscheduled update. Typically, patches are available on the second Tuesday of each month to allow system administrators time for planning.

Given the prevalence of attacks, there's no good reason why anyone running a Windows machine shouldn't stop what they're doing and install the patch immediately (those with administrative rights, anyway) - doing so is as easy as opening IE and selecting Windows Update from the Tools menu. The patch can also be downloaded directly here.

Howard mentioned the site of "a major financial institution" that he found hosting the exploit, so don't think you're immune just because you steer clear of porn and warez. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.