Microsoft sees 'huge increase' in IE attacks

HURST · Dec 15, 2008

Microsoft Corp. warned Saturday of a "huge increase" in attacks exploiting a critical unpatched vulnerability in Internet Explorer (IE) and said some originated from hacked pornography sites.

Other researchers confirmed that attacks were increasingly coming from compromised Web sites.

Microsoft noted the upswing in attacks on its Malware Protection Center blog late Saturday. "The trend for now is going upwards," said researchers Ziv Mador and Tareq Saade on the blog. "We saw a huge increase in the number of reports today compared to yesterday."

Hackers have been exploiting a data binding bug in IE for more than a week, according to researchers who first noted in-the-wild attack code on Chinese servers. The vulnerability, which exists in all versions of the Microsoft browser, including IE5.01, IE6, IE7 and IE8 Beta 2, has so far been exploited only by attack code that targets IE7, the most widely-used edition.
Click to expand...

Microsoft acknowledged that attacks have become a significant problem. "Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to Web sites containing exploits of this latest vulnerability," Mador and Saade said. "That percentage may seem low. However, it still means that a significant number of users have been affected."
Click to expand...

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123398

Rmus · Dec 15, 2008

Microsoft has elaborated on the various work-around measures for this exploit until a patch is released:

Clarification on the various workarounds from the recent IE advisory
http://blogs.technet.com/swi/archiv...-workarounds-from-the-recent-IE-advisory.aspx

From the computerworld article you cited (thanks!),

The vulnerability, which exists in all versions of the Microsoft browser, including IE5.01, IE6, IE7 and IE8 Beta 2, has so far been exploited only by attack code that targets IE7, the most widely-used edition.
Click to expand...

This explains why using IE6, the exploit would not run on sites that I looked at. The code checks for the versions of IE and the Operating system.

Note, however, that the IE7 exploit has been seen packaged with other exploits that affect IE6, so that an unpatched IE6 would be vulnerable should one encounter a compromised website.

One of Microsoft's recommendations is to Enable DEP (data execution prevention). Another consideration, because the payload is a trojan executable file,

If executed successfully, the script will download the binary from ht tp: //www[...]/admin/win.exe.
Click to expand...

those with Software Restriction Policies enabled will prevent the trojan from running.

OTHER REFERENCES

0-day exploit for Internet Explorer in the wild
http://isc.sans.org/diary.html?storyid=5458

IE7 0day expanded to include IE6 and IE8(beta)
http://binarycse.com/wordpress/?p=68

----
rich

Pedro · Dec 15, 2008

Waiting for Patch Tuesday? ..

ghodgson · Dec 15, 2008

Another very good reason to ditch IE and go with Firefox or Opera.

Kerodo · Dec 18, 2008

They're all the same... they all have vulnerabilities that keep surfacing, then they patch 'em and life goes on...

Log in or Sign up

Microsoft sees 'huge increase' in IE attacks

HURST Registered Member

Rmus Exploit Analyst

Pedro Registered Member

ghodgson Registered Member

Kerodo Registered Member

Log in or Sign up

Microsoft sees 'huge increase' in IE attacks

HURST Registered Member

Rmus Exploit Analyst

Pedro Registered Member

ghodgson Registered Member

Kerodo Registered Member

Useful Searches