Microsoft confirms newest IE bug went unpatched yesterday
Hackers timed attacks for maximum impact, says researcher
Other researchers, meanwhile, said that the timing of the attacks, which have already started, was not coincidental.
"The updates Microsoft released yesterday do not address this possible vulnerability," a Microsoft spokesman said today in an e-mail reply to questions, "but I can tell you that Microsoft is investigating these new public claims of a possible vulnerability in Internet Explorer."
Exploit code, which first surfaced in China, is actively seeking out victims, according to security researchers there and in the U.S. Those researchers have found attack code on multiple malicious domains and servers. Elsewhere today, an exploit was posted to the milw0rm.com site, a popular destination for public posting.
Symantec Corp. echoed Microsoft today, confirming that the flaw was not fixed by Tuesday's record-setting update, which included four patches, all judged "critical," for IE.
"The attack works successfully against a fully patched Windows XP SP3 with Internet Explorer 7, including all recent Microsoft Tuesday patches," said Symantec researcher Elia Florio in an entry to the company's vulnerability blog. "Also, Internet Explorer 6 could potentially be affected by the same problem and is therefore only temporarily immune to this initial exploit, which seems to target Internet Explorer 7 on Windows XP and 2003 systems."
There is some minor disagreement among researchers about the underlying bug. HD Moore, a noted vulnerability researcher and the labs director at BreakingPoint Systems, a Texas-based network test company, said his analysis points to a flaw in how IE handles the HTML "span" tag.
Others, however, said that the vulnerability is broader than that. "It's a problem in the .dll that handles the rendering of multiple types of HTML content in IE," said Ben Greenbaum, a senior manager in Symantec's security response group. "But the bug is triggered by the span tag, so it would be accurate to say it's a combination of both of those sources."
Greenbaum said Symantec has monitored attacks, but downplayed the threat for now. "Even in those regions [China and Asia], we're not seeing very high amounts of attacks," he said. "And in our own lab tests, the exploit is not successful against every machine. It's not all that reliable."
He guessed that the current attack code works, at best, a third of the time, but is most likely even less reliable than that. "Only a small portion of these attacks will be successful."
Symantec has not yet determined whether other versions of Microsoft's browser contain the same vulnerability; attack code in use now, however, works only against IE7.
Both Greenbaum and Moore agreed that what sets the bug apart is the timing.
"The most interesting thing is that it seems to have been first exploited on Patch Tuesday," Greenbaum said. "If that's the case, then it's a safe bet that they timed it so that at the least they'd have a month before a patch is released."
"There are usually a couple of these floating around," noted Moore in an e-mail today. "I think the media focus is related to the Microsoft Tuesday timing more than anything else." During his research, Moore uncovered two Chinese servers that were serving malicious code, and noted that the exploits had been last modified Sunday and yesterday.
Microsoft didn't promise a patch, but said it might produce one. "Once we're done investigating, we will take appropriate action to help protect customers," said the company's spokesman. "This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts