Escalating attacks prompted emergency IE update, says Microsoft

China, home of the security firm that reported the bug, is No. 1 attack target

Microsoft said that it patched the critical vulnerability in Internet Explorer (IE) earlier this week because the number of attacks jumped after news broke that the exploit had gone public.

Microsoft's explanation fit the expectations of several security researchers, who earlier this month predicted that the company would release an "out-of-band" update if attacks climbed, saying that that was the determining factor in Microsoft's decision-making process.

Holly Stewart, a senior program manager with the Microsoft Malware Protection Center (MMPC), acknowledged that attacks exploiting the "iepeers.dll" escalated March 12, two days after Israeli researcher Moshe Ben Abu used a clue in a McAfee blog to build a working attack for the popular Metasploit open-source penetration testing kit.

Three days before that, Microsoft had issued a security advisory warning users the vulnerability was already being used by hackers in drive-by attacks from malicious sites. At the time, Microsoft said that while both IE6 and IE7 could be exploited, the latter's pseudo sandbox would protect users.

Prominent researcher HD Moore, the creator of Metasploit and chief security officer at security company Rapid7, said on Tuesday that another likely factor in Microsoft's decision to accelerate the patch was that others had figured out how to modify Abu's exploit so that it was successful against IE7 as well as IE6.

Microsoft patched the iepeers.dll memory corruption vulnerability, and nine others, in the MS10-018 update it issued Tuesday, two weeks ahead of its standard schedule.

Stewart also said that Microsoft's analysis indicated that 80% of the attacks using the iepeers.dll exploit were aimed at Chinese computers. Whether coincidence or not, the vulnerability was originally reported to Microsoft by Beijing-based ADLab, an arm of security firm VenusTech. ADLab alerted Microsoft of the bug in mid-November 2009.

Machines in neighboring South Korea accounted for 11% of the attacks, but only 5% targeted U.S. PCs, said Stewart in an entry to the MMPC blog on Tuesday.

Symantec essentially confirmed Microsoft's data, although it described the target percentages a bit differently. After analyzing the attacks it has seen exploiting the iepeers.dll vulnerability, the security company's security response team ranked China as the No.1 target country, with Korea and the U.S. in the No. 2 and No. 3 spots, respectively.

"The count in China appears to be approximately 10 times that of Korea and the count in Korea is roughly the same as that in the Unites States," a Symantec spokesman said today. "The counts in ... other countries ... appear to be one tenth of those in the United States."

Stewart was optimistic that the MS10-018 update would dampen attacks. "Like the lifecycle of most vulnerabilities, we expect the threat landscape to mellow with the release and adoption of updates and protection," she said.

According to recent research by Wolfgang Kandek, the chief technology officer of Qualys, a California security risk and compliance management provider, emergency updates like this week's for IE take between nine and ten days to be applied to half of all PCs. Even weeks or months later, a significant percentage of machines remain vulnerable, Kandek said in a recent interview. About 20% of PCs still have not received the critical "out-of-band" update that Microsoft issued in January 2010, for example.

Previously, Microsoft said it started working on the fix for the IE zero-day last November, shortly after confirming ADLab's report. During the intervening months, Microsoft "continued to investigate the issue to identify the root cause, develop the update and enter into our extensive testing cycle," said Jerry Bryant, a senior manager at the Microsoft Security Response Center (MSRC).

Date stamps on the revamped iepeers.dll that Microsoft included in Tuesday's update showed that the company concluded its work on the IE6 patch on Feb. 26, and on the fix for the same flaw in IE7 by March 12.

IE8 does not contain the iepeers.dll bug. That has prompted Microsoft to again urge users still running older editions to upgrade to IE8.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies