Feeds

Unpatched IE bug exploited in targeted attacks

'More than a few organizations' hit

  • alert
  • submit to reddit

Seven Steps to Software Security

Unknown attackers have been targeting a previously unknown vulnerability in Internet Explorer to take control of machines running the Microsoft browser, security watchers warned on Wednesday.

The exploits were hosted on a page of an unidentified website that had been breached without the owner's knowledge, according to antivirus provider Symantec, which discovered the attacks a few days ago. The perpetrators then sent emails that lured a select group of people in targeted organizations to the booby-trapped page, causing those who used IE versions 6 and 7 to be infected with a backdoor trojan.

The exploit required no interaction on the part of victims and gave no indication what was happening. While the exploit page was found on a single website, Symantec researchers warned the attacks may have been widespread.

“Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations,” they wrote. “The files on this server had been accessed by people in lots of organizations in multiple industries across the globe.”

In an encouraging sign, few of the visitors were affected because they weren't using a vulnerable browser, they added.

Version 8 of IE may also be vulnerable, but a security protection known as DEP, or data execution prevention – which is turned on by default – causes the browser to crash rather than to remotely execute the malicious code, Microsoft said. DEP, which was first added to IE 7, is designed to lessen the damage of such attacks by preventing data loaded into memory from being executed. While hackers have figured out ways to bypass the technology, so-called heap-spraying attacks don't work well with this particular bug.

The security flaw resides in a part of IE that handles CSS, or Cascading Style Sheets, tags. As a result, the browser under-allocates memory, allowing data to be overwritten in memory vtable pointers. By spraying memory with special data, an attacker can cause IE to execute code.

The report is the latest reminder of the benefits of moving to the latest version of IE – or to a different browser altogether. Those who must use IE versions 6 or 7, should consider augmenting it with EMET, Microsoft's tool for locking down older applications. It can be used to add DEP and other security mitigations to a variety of programs, including IE and Adobe Reader.

Microsoft didn't say when it planned to patch the vulnerability, but Jerry Bryant, a spokesman for Microsoft response, indicated the bug probably didn't warrant a release outside of the company's normal update cycle. That means the earliest we're likely to see a fix is December 14.

Microsoft has more details here, here and here. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.