Feeds

Emergency IE patch goes live as exploits proliferate

'Hundreds of sites' locked and loaded

5 things you didn’t know about cloud backup

Updated Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.

The patch fixing the IE vulnerability used to penetrate the defenses of Google and other large companies came as anti-virus provider Symantec said the flaw was being exploited on "hundreds of websites." While some of the sites hosting the attacks were free services that had been co-opted, others appeared to be domains of legitimate companies that had been compromised.

"I'd consider this the first widescale attack that's been seen for this," Joshua Talbot, security intelligence manager for Symantec's Security Response group, told The Register. "The fact that the attacker has gone through the effort to set up hundreds of sites is a good indication of what other attackers are also doing right now. It's highly likely that other attackers will be retooling their attack toolkits to utilize this in driveby downloads to infect users."

Updates will be automatically installed by systems configured to receive such updates. Those who don't want to wait can manually apply the patch by visiting this link with IE. In an admission that's sure to spark criticism, Microsoft said it learned of the critical bug more than three months ago.

Microsoft said earlier Thursday that it continued to see "limited and targeted attacks against Internet Explorer 6 only." The company nonetheless strongly urged users to install the fix as soon as possible. While Talbot believes the attacks have now gone mainstream, he said none of the attacks he's seen in the wild are successful against versions 7 and 8, thanks to security features Microsoft has baked in to the browser.

The unscheduled bulletin fixes a memory corruption flaw in most versions of the widely used browser that allows attackers to execute malicious code simply by luring victims to a booby-trapped website. It fixes seven other privately reported vulnerabilities, some of which also made remote code execution possible, that Microsoft had been planning to issue next month during its next regularly scheduled patch release.

The update patches the holes by modifying the way IE handles objects in memory, validates input parameters, and filters HTML attributes. Although IE 5.01 isn't vulnerable to the exploits that penetrated Google, that version is susceptible to exploits targeting other bugs, so Thursday's patch is considered critical for all users.

This is the 12th time Microsoft has issued a patch since 2003, when it began releasing security updates on the second Tuesday of each month. The software maker released the out-of-band update after Google took the unusual step last week of publicly proclaiming its security was pierced by attackers it believes were located in China. It said at least 20 other large companies were similarly targeted, a number independent researchers later raised to 33.

Similar attacks targeting government agencies and companies in the defense and energy industries in the US and UK continue, according to this report issued Thursday by Websense.

Microsoft is generally reluctant to issue unscheduled updates out of deference to customers who want time to test how the changes will affect their systems.

Earlier this week, security firms including Websense and McAfee reported seeing copycat attacks that use the same code used against Google, but until now, those attacks appeared to be limited to a handful of websites that mostly targeted Chinese-speaking users. The new attacks are hosted on a variety of websites, including "well-known dynamic DNS hosting sites," Talbot said.

Systems compromised by the sites reported by Symantec were infected with a backdoor that collected registry settings and other system information and sent it to an email address that was under the control of attackers. That email address has since been disabled, Talbot said.

The attack code is different than that used to compromise Google, but appears to have been derived from exploits that went public late last week. While researchers have devised proof-of-concept code that successfully exploits Microsoft's most recent version of IE, all in-the-wild attacks that have been reported so far are successful against only IE 6.

"All these other attackers who are less sophisticated leverage that proof of concept and reuse it, so they're really not adding anything new or doing their own research and figuring out how to make it more reliable on more platforms," Talbot said. "They're just reusing the work that's already been provided."

He said security features available in more recent browsers - such as ASLR, or address space layout randomization, and DEP, or data execution prevention - have so far neutralized the public exploits.

Nonetheless, Symantec's report that hundreds of websites are now hosting the attack adds urgency to the emergency update. And the ability of white hat hackers to successfully compromise IE 7 and 8 means black hats can't be far behind. ®

This article was updated throughout to include additional details.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.