Hackers exploit unpatched IE bug with drive-by attacks
Microsoft confirms hackers targeting IE6; IE7 also at risk
Computerworld - Microsoft today warned that attackers are targeting Internet Explorer (IE) with an exploit of a critical unpatched vulnerability in all current versions of the browser.
Only IE9, which is still in beta, is unaffected.
Microsoft and others confirmed that attacks are circulating in the wild, primarily targeting IE6, the nine-year-old browser that Microsoft's been trying to kill for more than a year.
"So far, the attacks we have seen only target Internet Explorer 6 and would not have been successful against Internet Explorer 8," said Andrew Roths, Jonathan Ness and Chengyun Chu, three engineers who work on the Microsoft Security Response Center team.
Microsoft downplayed the threat, saying it has seen only "extremely limited" attacks thus far.
The exploit relies on a heap spray to take down IE, said Roths, Ness and Chu. Hackers can hijack Windows PCs by getting users to visit a malicious site, making the threat a classic "drive-by" attack that can instantly commandeer a machine with a vulnerable version of IE.
Although the newer IE8 contains the vulnerability, it's immune to the current round of attacks because it switches on DEP, or data execution prevention, by default. DEP is one of two key defensive measures within Windows -- the other is ASLR, or address space layout randomization -- designed to block attacks, or at least make the hacker work harder.
Antivirus vendor Symantec said that it had first seen exploits aimed at the IE bug several days ago when it came across spam that had been sent to select individuals within some organizations. The messages posed as hotel reservation notifications.
"Within the e-mail, the perpetrators added a link to a specific page hosted on an otherwise legitimate site," said Symantec researcher Vikram Thakur in an entry on his company's blog. "The hackers had gotten access to the Web site account and uploaded content without the owners knowing."
Anyone visiting the hacked site with IE6 or IE7 -- the former doesn't support DEP, while the latter doesn't enable it by default -- is infected with malware that opens a "backdoor" on the compromised computer, then downloads a number of files containing additional commands
Symantec said it reported the bug to Microsoft and reached out to the owners of the server hosting the attack page and malware. That server has since been taken offline.
"The files on this server had been accessed by people in lots of organizations in multiple industries across the globe," said Thakur. "[But] very few of them were seen accessing the payload file, which means that most users were using a browser which wasn't vulnerable or targeted."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts