Feeds

Emergency IE patch goes live as exploits proliferate

'Hundreds of sites' locked and loaded

SANS - Survey on application security programs

Updated Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.

The patch fixing the IE vulnerability used to penetrate the defenses of Google and other large companies came as anti-virus provider Symantec said the flaw was being exploited on "hundreds of websites." While some of the sites hosting the attacks were free services that had been co-opted, others appeared to be domains of legitimate companies that had been compromised.

"I'd consider this the first widescale attack that's been seen for this," Joshua Talbot, security intelligence manager for Symantec's Security Response group, told The Register. "The fact that the attacker has gone through the effort to set up hundreds of sites is a good indication of what other attackers are also doing right now. It's highly likely that other attackers will be retooling their attack toolkits to utilize this in driveby downloads to infect users."

Updates will be automatically installed by systems configured to receive such updates. Those who don't want to wait can manually apply the patch by visiting this link with IE. In an admission that's sure to spark criticism, Microsoft said it learned of the critical bug more than three months ago.

Microsoft said earlier Thursday that it continued to see "limited and targeted attacks against Internet Explorer 6 only." The company nonetheless strongly urged users to install the fix as soon as possible. While Talbot believes the attacks have now gone mainstream, he said none of the attacks he's seen in the wild are successful against versions 7 and 8, thanks to security features Microsoft has baked in to the browser.

The unscheduled bulletin fixes a memory corruption flaw in most versions of the widely used browser that allows attackers to execute malicious code simply by luring victims to a booby-trapped website. It fixes seven other privately reported vulnerabilities, some of which also made remote code execution possible, that Microsoft had been planning to issue next month during its next regularly scheduled patch release.

The update patches the holes by modifying the way IE handles objects in memory, validates input parameters, and filters HTML attributes. Although IE 5.01 isn't vulnerable to the exploits that penetrated Google, that version is susceptible to exploits targeting other bugs, so Thursday's patch is considered critical for all users.

This is the 12th time Microsoft has issued a patch since 2003, when it began releasing security updates on the second Tuesday of each month. The software maker released the out-of-band update after Google took the unusual step last week of publicly proclaiming its security was pierced by attackers it believes were located in China. It said at least 20 other large companies were similarly targeted, a number independent researchers later raised to 33.

Similar attacks targeting government agencies and companies in the defense and energy industries in the US and UK continue, according to this report issued Thursday by Websense.

Microsoft is generally reluctant to issue unscheduled updates out of deference to customers who want time to test how the changes will affect their systems.

Earlier this week, security firms including Websense and McAfee reported seeing copycat attacks that use the same code used against Google, but until now, those attacks appeared to be limited to a handful of websites that mostly targeted Chinese-speaking users. The new attacks are hosted on a variety of websites, including "well-known dynamic DNS hosting sites," Talbot said.

Systems compromised by the sites reported by Symantec were infected with a backdoor that collected registry settings and other system information and sent it to an email address that was under the control of attackers. That email address has since been disabled, Talbot said.

The attack code is different than that used to compromise Google, but appears to have been derived from exploits that went public late last week. While researchers have devised proof-of-concept code that successfully exploits Microsoft's most recent version of IE, all in-the-wild attacks that have been reported so far are successful against only IE 6.

"All these other attackers who are less sophisticated leverage that proof of concept and reuse it, so they're really not adding anything new or doing their own research and figuring out how to make it more reliable on more platforms," Talbot said. "They're just reusing the work that's already been provided."

He said security features available in more recent browsers - such as ASLR, or address space layout randomization, and DEP, or data execution prevention - have so far neutralized the public exploits.

Nonetheless, Symantec's report that hundreds of websites are now hosting the attack adds urgency to the emergency update. And the ability of white hat hackers to successfully compromise IE 7 and 8 means black hats can't be far behind. ®

This article was updated throughout to include additional details.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.