Hackers move fast to exploit just-patched IE bug

Three days after Microsoft fixed flaw, Symantec spots active attacks

Just three days after Microsoft patched 11 bugs in Internet Explorer (IE), hackers are exploiting one of those vulnerabilities, a security company said Friday.

Microsoft fixed the flaw Tuesday in an 11-patch update for IE. That update was part of a larger Patch Tuesday roll-out that quashed 34 bugs in 16 separate security bulletins.

Most security experts had put the IE update at the top of their priority lists, and urged Windows users to deploy it as soon as possible.

Today, Symantec reported that CVE 2011-1255 -- its assigned ID in the Common Vulnerabilities and Exposures database -- is already being abused.

"So far, we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present," said Joji Hamada, a senior researcher with Symantec's security response team, in a post to a company blog.

Hamada said that Symantec had found an exploit on an apparently-compromised site that automatically downloads an encrypted malicious file to the PC of any user browsing with an unpatched copy of IE8.

The malware shows some bot traits, Hamada added. Once planted on a machine, it contacts a remote server and listens for commands from its hacker overlords.

Although the CVE 2011-1255 vulnerability affects IE6 and IE7 as well as IE8, Symantec has only seen working exploits that target the latter.

IE9, the browser that Microsoft launched in mid-March, is not affected by the vulnerability, although it was also patched Tuesday to address four different bugs.

In the accompanying advisory, Microsoft pegged the flaw as "critical," its most-serious threat level, for IE7 and IE8 on all Windows machines, and for IE6 running on Windows XP. For IE6 on Windows Server 2003 Microsoft rated the bug as "moderate."

Microsoft also assigned a "1" to the vulnerability in its exploitability index, meaning the company expected a reliable exploit to appear within 30 days. The attackers beat that by a significant margin, putting their exploit into play within three days.

Microsoft was made aware of the flaw in late January by VeriSign's iDefense Labs, which had bought the bug from an anonymous researcher through its bounty program.

iDefense's own advisory categorized the vulnerability as a "use-after-free" bug, a type of memory management flaw that can be exploited to inject attack code.

Users unable to apply Tuesday's IE update can stymie the attacks Symantec has spotted by disabling JavaScript.

To turn off JavaScript, users should select the "Tools" menu in IE, then click "Internet Options," the "Security" tab and the "Internet" content zone. Next, click "Custom Level" and in the "Settings" box, click "Disable" under "Active scripting." Click "OK" in the current dialog box.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Copyright © 2011 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon