Feeds

Emergency IE patch goes live as exploits proliferate

'Hundreds of sites' locked and loaded

The Essential Guide to IT Transformation

Updated Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.

The patch fixing the IE vulnerability used to penetrate the defenses of Google and other large companies came as anti-virus provider Symantec said the flaw was being exploited on "hundreds of websites." While some of the sites hosting the attacks were free services that had been co-opted, others appeared to be domains of legitimate companies that had been compromised.

"I'd consider this the first widescale attack that's been seen for this," Joshua Talbot, security intelligence manager for Symantec's Security Response group, told The Register. "The fact that the attacker has gone through the effort to set up hundreds of sites is a good indication of what other attackers are also doing right now. It's highly likely that other attackers will be retooling their attack toolkits to utilize this in driveby downloads to infect users."

Updates will be automatically installed by systems configured to receive such updates. Those who don't want to wait can manually apply the patch by visiting this link with IE. In an admission that's sure to spark criticism, Microsoft said it learned of the critical bug more than three months ago.

Microsoft said earlier Thursday that it continued to see "limited and targeted attacks against Internet Explorer 6 only." The company nonetheless strongly urged users to install the fix as soon as possible. While Talbot believes the attacks have now gone mainstream, he said none of the attacks he's seen in the wild are successful against versions 7 and 8, thanks to security features Microsoft has baked in to the browser.

The unscheduled bulletin fixes a memory corruption flaw in most versions of the widely used browser that allows attackers to execute malicious code simply by luring victims to a booby-trapped website. It fixes seven other privately reported vulnerabilities, some of which also made remote code execution possible, that Microsoft had been planning to issue next month during its next regularly scheduled patch release.

The update patches the holes by modifying the way IE handles objects in memory, validates input parameters, and filters HTML attributes. Although IE 5.01 isn't vulnerable to the exploits that penetrated Google, that version is susceptible to exploits targeting other bugs, so Thursday's patch is considered critical for all users.

This is the 12th time Microsoft has issued a patch since 2003, when it began releasing security updates on the second Tuesday of each month. The software maker released the out-of-band update after Google took the unusual step last week of publicly proclaiming its security was pierced by attackers it believes were located in China. It said at least 20 other large companies were similarly targeted, a number independent researchers later raised to 33.

Similar attacks targeting government agencies and companies in the defense and energy industries in the US and UK continue, according to this report issued Thursday by Websense.

Microsoft is generally reluctant to issue unscheduled updates out of deference to customers who want time to test how the changes will affect their systems.

Earlier this week, security firms including Websense and McAfee reported seeing copycat attacks that use the same code used against Google, but until now, those attacks appeared to be limited to a handful of websites that mostly targeted Chinese-speaking users. The new attacks are hosted on a variety of websites, including "well-known dynamic DNS hosting sites," Talbot said.

Systems compromised by the sites reported by Symantec were infected with a backdoor that collected registry settings and other system information and sent it to an email address that was under the control of attackers. That email address has since been disabled, Talbot said.

The attack code is different than that used to compromise Google, but appears to have been derived from exploits that went public late last week. While researchers have devised proof-of-concept code that successfully exploits Microsoft's most recent version of IE, all in-the-wild attacks that have been reported so far are successful against only IE 6.

"All these other attackers who are less sophisticated leverage that proof of concept and reuse it, so they're really not adding anything new or doing their own research and figuring out how to make it more reliable on more platforms," Talbot said. "They're just reusing the work that's already been provided."

He said security features available in more recent browsers - such as ASLR, or address space layout randomization, and DEP, or data execution prevention - have so far neutralized the public exploits.

Nonetheless, Symantec's report that hundreds of websites are now hosting the attack adds urgency to the emergency update. And the ability of white hat hackers to successfully compromise IE 7 and 8 means black hats can't be far behind. ®

This article was updated throughout to include additional details.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.