Hackers jump on newest IE7 bug
Vulnerability patched 7 days ago now under attack, say researchers
Although the attacks are currently in "very, very small numbers," they may be just the forerunner of a larger campaign, said Jamz Yaneza, threat research manager at Trend Micro Inc. "I see this as a proof-of-concept," said Yaneza, who noted that the exploit's payload is extremely straightforward and explained that there has been no attempt to mask it by, say, planting a root kit on the victimized PC at the same time.
"I wouldn't be surprised to see this [exploit] show up in one of those Chinese exploit kits," he added.
The new attack code, which Trend Micro dubbed "XML_Dloadr.a," arrives in a spam message as a malicious file masquerading as a Microsoft Word document. If the fake document is opened, the exploit hijacks PCs that have not been patched with the MS09-002 security update Microsoft issued last Tuesday as part of its eight-patch February batch of fixes.
That update, which plugged two holes in IE7, was rated "critical" by Microsoft at the time.
"We first saw this over the weekend," said Paul Ferguson, an advanced threat researcher at Trend Micro. "But we're not sure if it's just a targeted attack or they're staging for something larger. It's hard to tell at the moment."
It's not unusual for hackers to swing into action with a new exploit only days after Microsoft has patched a previously-unknown vulnerability. "They know it takes users a while to patch," Ferguson added. "Even months after Microsoft patched, the Conficker worm was still able to infect millions of PCs because of lousy patching. That's not lost on the bad guys."
The "Conficker" worm, also known as "Downadup," continues to compromise millions of machines daily, even though, as Ferguson noted, Microsoft patched the vulnerability exploited by the worm nearly four months ago.
Yaneza and Ferguson speculated that the current attacks are precursors to a much larger assault that will revive a campaign that tempted users with news about Tibet. Those attacks, which Trend Micro reported in January 2008, share some characteristics with the newest exploits, including malware disguised as Word documents. Yaneza also said that it appears as though the hacker's command-and-control server is based in China, lending more credence to their theory.
"This is the 50th anniversary of the Tibetan freedom movement," said Ferguson, who said it's likely that a large-scale attack based on this exploit would use that news as bait. In 1959, when the People's Republic of China took full control of Tibet, the Dali Lama fled to India, where he is the head of a Tibetan government-in-exile.
One security expert has called on Microsoft to sever the links between IE and Windows to better protect users from attack. According to Wolfgang Kandek, the chief technology officer at Qualys Inc., people plug IE holes no faster than other critical Microsoft vulnerabilities, something that might change if Microsoft split the browser from the operating system and increased the frequency of its IE patches.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts