Nasty new zero-day in IE6 and IE7: NOW will you upgrade?

Older Internet Explorer versions ripe for spear-phishing attacks.

Internet Explorer logo (Microsoft)
By Richi Jennings. November 4, 2010.

This week, we learned that Internet Explorer is vulnerable to yet another new zero-day exploit. IE8 is probably immune, but IE6 and IE7 are wide open for a silent, drive-by attack, known as Backdoor.Pirpi. In IT Blogwatch, bloggers wonder what it takes for people to upgrade to IE8.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention an insanely clever video...


Gregg Keizer reports:

Microsoft and others confirmed that attacks are circulating in the wild, primarily targeting IE6 ... [which] Microsoft's been trying to kill for more than a year. ... [But it] downplayed the threat, saying it has seen only "extremely limited" attacks thus far.


Hackers can hijack Windows PCs by getting users to visit a malicious site ... a classic "drive-by" attack that can instantly commandeer a machine. ... Anyone visiting the hacked site with IE6 or IE7 ... is infected with malware that ... downloads a number of files containing additional commands.

Dan Goodin says it was a targeted attack:

The exploits were hosted on a page of an unidentified website that had been breached without the owner's knowledge. ... The perpetrators then sent emails that lured a select group of people in targeted organizations.


[IE8] may also be vulnerable, but a security protection known as ... data execution prevention ... causes the browser to crash rather than ... execute the malicious code. ... The latest reminder of the benefits of moving to the latest version of IE – or to a different browser altogether.

Symantec's Vikram Thakur has details of the malware:

Within the email, the perpetrators added a link to a specific page hosted on an otherwise legitimate website. ... Visitors who were served the exploit page ... went on to download and run a piece of malware on their computer without any interaction.


[It] opens a backdoor on the computer and then contacts ... a specific server hosted in Poland for small ... encrypted files with commands telling the Trojan what to do next.

Microsoft's Andrew Roths, Jonathan Ness, and Chengyun Chu tag-team this triagement, adding alphabet soup:

Internet Explorer incorrectly under-allocates memory to store a certain combination of Cascading Style Sheets (CSS) tags. ... This could result in an overwrite of the least significant byte of a vtable pointer. ... The attacks we’ve seen are all blocked by DEP [which] is enabled by default on IE8 and can be enabled for earlier versions of IE as well.


Using EMET on a version of Internet Explorer that does not enable DEP by default will block the attacks we have analyzed. Beyond this, EMET includes several other mitigations such as Mandatory ASLR and EAT Access filtering.

But Julie Bort offers no hope for a quick fix:

It is unlikely that a patch will be available by next week's Patch Tuesday. ... If Microsoft sees an uptick in this attack ... expect Microsoft to release an out-of-band patch. ... IE7 users are urged to enable the Data Execution Prevention (DEP) feature, although this may cause conflicts with some browser extensions.

And Finally...

"Light, As A Feather" -- Insanely clever video teaches how SMS works
[hat tip: Liz Shannon Miller]

Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email:

You can also read Richi's full profile and disclosure of his industry affiliations.

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon