Danger to IE users climbs as hacker kit adds exploit
Puts pressure on Microsoft to deliver an emergency update, says security expert
Computerworld - An exploit of an unpatched Internet Explorer vulnerability has been added to a popular crimeware kit, a move that will probably push Microsoft to fix the flaw with an emergency update, a security researcher said Sunday.
Meanwhile, a prominent vulnerability expert has sided with Microsoft, which has said the bug will be difficult to exploit in Internet Explorer 8 (IE8), the most popular version of the company's browser.
Last week, Microsoft warned users of its IE6, IE7 and IE8 browsers that hackers were already exploiting a vulnerability in the programs by tricking them into visiting malicious or compromised Web sites. Once at such a site, users were subjected to a "drive-by" attack that required no action on their part to succeed.
Symantec was the first to report the IE bug to Microsoft after the antivirus vendor captured spam posing as hotel reservation notifications sent to select individuals within several organizations.
On Sunday, Roger Thompson, chief research officer of AVG Technologies, said that an exploit for the newest IE flaw had been added to the Eleonore attack kit, one of several readily-available toolkits that criminals plant on hacked Web sites to hijack visiting machines, often using browser-based attacks.
"This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day," said Thompson in on his company's blog.
Microsoft has promised to patch the vulnerability, but last week said that the threat didn't warrant an "out-of-band" update, the company's term for a fix outside the usual monthly Patch Tuesday schedule. Microsoft will deliver three security updates Nov. 9, but won't fix the IE bug then.
Thompson disagreed with Microsoft's assessment.
"I think they'll have to [do an out-of-band update]," Thompson said via instant message on Sunday when asked to bet whether Microsoft will release an IE fix before Dec. 14, the next regularly-scheduled patch date after Tuesday. "I expect attacks will accelerate."
However, AVG -- like Microsoft and Symantec -- has so far seen only a small number of attacks leveraging the vulnerability.
The exploit added to Eleonore may have been cadged from the Metasploit open-source penetration testing kit. Last Thursday, researcher Joshua Drake added an exploit module for the IE bug to Metasploit.
"We do see a lot of exploits essentially cut and pasted from Metasploit [proof-of-concepts]," said Thompson.
Microsoft has urged IE users to enable DEP, or data execution prevention, for IE7, use IE8 or IE9, or run one of its automated "Fix-it" tools to add a custom CSS template to their browsers as protection until a patch is available.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Gartner 2013 Magic Quadrant for Enterprise Backup/Recovery Software See why CommVault was positioned as the #1 leader in Gartner's 2013 Magic Quadrant for Enterprise Backup/Recovery software for the 3rd year in...
- Forrester Report: CommVault is a Leader in Enterprise Backup and Recovery In this report, Forrester takes a deep dive into the evaluation criteria, how CommVault is positioned and the features and functionality that make...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Malware and Vulnerabilities White Papers |