IE Under Attack: Microsoft Ponders Emergency Patch


Updated: Microsoft confirms a wave of drive-by downloads targeting a zero-day browser vulnerability and says Internet Explorer users can expect a patch on April 11, if not sooner.



Malicious hackers are using hijacked Web servers and compromised sites to launch a wave of zero-day attacks against an unpatched flaw in Microsoft's Internet Explorer browser.

The first wave of drive-by downloads was spotted on March 25, and security experts tracking the attack say the threat is growing at a rate of 10 new malicious URLs every hour.

eWEEK has seen a list of more than 20 unique domains and 100 unique URLs hosting the exploits, which are dropping a variant of SDbot, a virulent family of backdoors that give hackers complete ownership of infected computers.

SDbot allows attackers to control victims' computers remotely by sending specific commands via IRC (Inter Relay Chat) channels. It has been used to seed botnets and plant keystroke loggers for use in identity theft attacks.

The Microsoft Security Response Center has confirmed the attacks but insists they are "limited in scope."

"Here's what we know. The attacks are limited in scope for now and are being carried out by malicious Web sites exploiting a vulnerability in the method by which Internet Explorer handles HTML rendering," said MSRC Program Manager Stephen Toulouse.

"[We're] working day and night on development of a cumulative security update for Internet Explorer that addresses the vulnerability," Toulouse said in a blog entry posted at 5:21 a.m. on March 25.

He said the IE patch is "on schedule" to ship as part of next month's Patch Tuesday, which will take place on April 11, but the company is not ruling out an emergency, out-of-cycle release if the threat escalates.

"We'll release it sooner if warranted," Toulouse said.

The attacks come less than 24 hours after Microsoft issued an advisory with interim workarounds for customers running IE on supported versions of Windows 2000, Windows XP and Windows Server 2003.

According to Dan Hubbard, senior director of security and technology research at Websense Security Labs, his company's honeyclient crawler is capturing about 10 new malicious URLs every hour.

"This looks very much like the WMF [Windows Metafile] attacks, [and] it appears to be just the beginning," Hubbard said in an interview with eWEEK.

Hubbard, who was the first to discover the WMF zero-day attacks in the wild last December, said there is evidence that the attackers are currently testing different types of exploits on hijacked Web sites.

"Some of these attackers are the same people that were exploiting the WMF vulnerability. They're using the same Web sites," Hubbard said. "This will continue to get worse over the weekend especially if they can figure out how to get the exploits to work efficiently.

"One of the interesting things we're seeing is that the shell code doesn't work on a lot of these sites. That suggests they're testing the exploits and getting ready to do some major damage," he added.

In addition to SDbot variants, Hubbard said the sites are dumping spyware and keystroke loggers on machines without requiring any user action. "Simply surfing to these sites will hose your machine," he warned.

Although the attacks do not require any user action?simply surfing to a rigged site will trigger the exploit?researchers at Florida-based anti-spyware outfit Sunbelt Software said the WMF exploit, which used malicious images to execute the malware payload, was much more dangerous.


More here:
http://www.eweek.com/article2/0,1895,1942570,00.asp