Feeds

Emergency IE patch goes live as exploits proliferate

'Hundreds of sites' locked and loaded

Seven Steps to Software Security

Updated Microsoft released an emergency security update for all versions of Internet Explorer on Thursday as attacks exploiting a critical vulnerability in the widely used browser spread to hundreds of websites.

The patch fixing the IE vulnerability used to penetrate the defenses of Google and other large companies came as anti-virus provider Symantec said the flaw was being exploited on "hundreds of websites." While some of the sites hosting the attacks were free services that had been co-opted, others appeared to be domains of legitimate companies that had been compromised.

"I'd consider this the first widescale attack that's been seen for this," Joshua Talbot, security intelligence manager for Symantec's Security Response group, told The Register. "The fact that the attacker has gone through the effort to set up hundreds of sites is a good indication of what other attackers are also doing right now. It's highly likely that other attackers will be retooling their attack toolkits to utilize this in driveby downloads to infect users."

Updates will be automatically installed by systems configured to receive such updates. Those who don't want to wait can manually apply the patch by visiting this link with IE. In an admission that's sure to spark criticism, Microsoft said it learned of the critical bug more than three months ago.

Microsoft said earlier Thursday that it continued to see "limited and targeted attacks against Internet Explorer 6 only." The company nonetheless strongly urged users to install the fix as soon as possible. While Talbot believes the attacks have now gone mainstream, he said none of the attacks he's seen in the wild are successful against versions 7 and 8, thanks to security features Microsoft has baked in to the browser.

The unscheduled bulletin fixes a memory corruption flaw in most versions of the widely used browser that allows attackers to execute malicious code simply by luring victims to a booby-trapped website. It fixes seven other privately reported vulnerabilities, some of which also made remote code execution possible, that Microsoft had been planning to issue next month during its next regularly scheduled patch release.

The update patches the holes by modifying the way IE handles objects in memory, validates input parameters, and filters HTML attributes. Although IE 5.01 isn't vulnerable to the exploits that penetrated Google, that version is susceptible to exploits targeting other bugs, so Thursday's patch is considered critical for all users.

This is the 12th time Microsoft has issued a patch since 2003, when it began releasing security updates on the second Tuesday of each month. The software maker released the out-of-band update after Google took the unusual step last week of publicly proclaiming its security was pierced by attackers it believes were located in China. It said at least 20 other large companies were similarly targeted, a number independent researchers later raised to 33.

Similar attacks targeting government agencies and companies in the defense and energy industries in the US and UK continue, according to this report issued Thursday by Websense.

Microsoft is generally reluctant to issue unscheduled updates out of deference to customers who want time to test how the changes will affect their systems.

Earlier this week, security firms including Websense and McAfee reported seeing copycat attacks that use the same code used against Google, but until now, those attacks appeared to be limited to a handful of websites that mostly targeted Chinese-speaking users. The new attacks are hosted on a variety of websites, including "well-known dynamic DNS hosting sites," Talbot said.

Systems compromised by the sites reported by Symantec were infected with a backdoor that collected registry settings and other system information and sent it to an email address that was under the control of attackers. That email address has since been disabled, Talbot said.

The attack code is different than that used to compromise Google, but appears to have been derived from exploits that went public late last week. While researchers have devised proof-of-concept code that successfully exploits Microsoft's most recent version of IE, all in-the-wild attacks that have been reported so far are successful against only IE 6.

"All these other attackers who are less sophisticated leverage that proof of concept and reuse it, so they're really not adding anything new or doing their own research and figuring out how to make it more reliable on more platforms," Talbot said. "They're just reusing the work that's already been provided."

He said security features available in more recent browsers - such as ASLR, or address space layout randomization, and DEP, or data execution prevention - have so far neutralized the public exploits.

Nonetheless, Symantec's report that hundreds of websites are now hosting the attack adds urgency to the emergency update. And the ability of white hat hackers to successfully compromise IE 7 and 8 means black hats can't be far behind. ®

This article was updated throughout to include additional details.

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.