As attacks escalate, MS readies emergency IE patch

As attacks escalate, MS readies emergency IE patch

Summary: Microsoft is planning to ship an emergency Internet Explorer update tomorrow (December 17) to counter an escalating wave of malware attacks targeting a zero-day browser vulnerability.[ SEE: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks ]The out-of-band update, which will be rated critical, follows the public discovery of password-stealing Trojans exploiting the bug on Chinese-language Web sites.

SHARE:

Emergency Internet Explorer patch coming Microsoft is planning to ship an emergency Internet Explorer update tomorrow (December 17) to counter an escalating wave of malware attacks targeting a zero-day browser vulnerability.

[ SEE: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks ]

The out-of-band update, which will be rated critical, follows the public discovery of password-stealing Trojans exploiting the bug on Chinese-language Web sites.  Over the past week, the attacks have expanded with hackers using SQL injection techniques to seed exploits on legitimate Web sites.

[ GALLERY: How to configure Internet Explorer to run securely

This will be the second out-of-band update from the MSRC (Microsoft Security Response Center) in the last two months.  Back in October, the company shipped MS08-067 to plug an extremely critical worm hole that affected Windows 2000, Windows XP and Windows Server 2003.

The IE patch will be available for all supported versions of the browser.  According to this pre-patch advisory from Microsoft, the in-the-wild attacks have targeted IE 7 on Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Windows Vista (including SP1) and Windows Server 2008.

The actual flaw exists in the way IE handles DHTML Data Bindings:

Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data (“heap spray”) before the invalid pointer dereference.

* Image source: jmv's Flickr photostream (Creative Commons 2.0)

Topics: Windows, Browser, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

70 comments
Log in or register to join the discussion
  • 1 point and 1 question

    Hehe, the #1 complaint about the monthly patch schedule is that ABMer's claim that MS sits on critical patches. This is the second time that MS has reacted quickly to a threat thus making the ABMer's point moot. I would also encourage those ABMers to look at Apple's patch schedule which, although not pre-scheduled, does seem to result in dozens of patches being released all at once approximately once a month. Unless you want to convince me that Apple releases individual patches as soon as they are ready and it is just a coincidence that 21 patches became ready at the same time, you have to admit that releasing patches in batches is fairly common practice.

    The question I have comes from the [url=http://www.microsoft.com/technet/security/advisory/961051.mspx] Microsoft Security Bulletin [/url] which states: [i]Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.[/i] While still containing the vulnerability, can't anyone come out and state whether or not Protected Mode is actually protecting people from the in the wild exploits? We hear about Vista machines being vulnerable to this but we also hear that people turn off UAC (which turns off Protected Mode). People should obviously patch this when the patch becomes available but it certainly would be nice to know what is meant by [i]Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.[/i] If it limits the impact of the vulnerability to the point where the exploit can't install back doors or steal your password then this would be good information to know. If it [b]doesn't[/b] limit the impact of the vulnerability then this would [b]also[/b] be very good information to know.
    NonZealot
    • Regarding the question

      This SWI blog post addresses your question:

      http://blogs.technet.com/swi/archive/2008/12/12/Clarification-on-the-various-workarounds-from-the-recent-IE-advisory.aspx

      _r
      Ryan Naraine
      • Thanks Ryan but I don't believe it answers the question

        I read that article with interest from your blog post but it talks about using UAC to block access to the DLL, effectively shutting down the attack vector and therefor the vulnerability. What I'm asking is whether or not Protected Mode prevents exploits from working on systems where the attack vector is still open. I'm drawing a big distinction between the vulnerability and the exploit. While the article talks about shutting down the vulnerability, it doesn't talk about whether or not the default Vista settings prevent the exploit from doing whatever it is trying to do with a flurry of "Access Denied" errors.

        No doubt that people should implement the suggestions from your article but let's be honest, it is Vista in its default configuration that is being tested 99% of the time. The claim was that Protected Mode would neuter exploits targeting future zero day vulnerabilities. MS's article suggests that this is the case. Yet if reports are to be believed, Vista SP1 machines are being successfully attacked. I would simply like to see some confirmation on whether or not the infected users had turned off UAC.

        The vulnerability still needs to be fixed regardless (if only for XP users) but I've yet to see any documentation on whether or not a default Vista install, with UAC and Protected Mode enabled, would fall to these exploits. It truly shouldn't be hard to confirm one way or another, right? I'm truly just as interested to find out if Protected Mode [b]doesn't[/b] protect users from these exploits because I think it is important to understand why it failed to work as advertised.
        NonZealot
        • Hilarious...

          [i]Hehe, the #1 complaint about the monthly patch schedule is that ABMer's claim that MS sits on critical patches. This is the second time that MS has reacted quickly to a threat thus making the ABMer's point moot.[/i]

          The second time? In what...10, 20 years?

          And you think that's a record to be proud of?

          ~

          I'm the one that's laughing.... :D
          hasta la Vista, bah-bie
          • *facepalm*

            {NT}
            Sleeper Service
          • Don't bruise yourself... lol... :D

            nt
            hasta la Vista, bah-bie
    • Protected Mode limits the ability of malware to...

      ...modify system/user files/settings. Thus malware can run but it has effectively no rights to change things. It can read files therefore information disclosure is a possibility.
      ye
      • That's the theory

        [i]Thus malware can run but it has effectively no rights to change things. It can read files therefore information disclosure is a possibility.[/i]

        Agreed, I could see this resulting in stolen game passwords that probably aren't securely stored on the file system. However, there are [url=http://blogs.zdnet.com/security/?p=2283] reports that these exploits are triggering drive-by downloads [/url], a feat which would be difficult if the exploit did not have the permission to change things in the file system.

        Perhaps the confusion is that there are multiple exploits, each doing different things. While Vista might be vulnerable to the password stealing exploits, it isn't vulnerable (in its default configuration) to the drive-by download exploits? I'm just guessing though.
        NonZealot
        • The drive by downloads, as described in the link, applies to...

          ...IE 7 running on Windows XP SP2. IE 7 on XP does not have the benefit of protected mode.

          Furthermore any XP user who is utilizing the default user account, which is a member of the administrators group, can write anywhere in the file system. If you're running with standard privileges in either OS (the default in Vista until elevated through UAC) such malware will fail to write outside the users home directory (though malware could create a new directory at the root of the systems drives as the default permissions in XP allow any user to create new directories at the root. This was changed in Vista).

          Does that help?
          ye
    • Lets look the other way?

      Not sure what your point is about what this or that company does on SW updates.

      This one was a big problem and MS has no option but to rush out a fix. There were stories in the major press around the world today saying stop using IE now. If they had not got an update ready it would have been a marketing disaster.

      Lets hope the fix works as this type of problem seems to be getting bigger for all suppliers. The question to ask after that is how did MS leave such a big hole.
      martin23
      • Never said to look the other way

        Please quote me where I said that we should look the other way.

        [i]This one was a big problem and MS has no option but to rush out a fix.[/i]

        But that's my point. The ABMers said that MS's monthly patch cycle is terrible because MS will sit on a patch until the next patch Tuesday. MS [b]does[/b] have an option to sit on a patch but they didn't, thus destroying the ABMer's primary attack against a monthly patch cycle.

        [i]The question to ask after that is how did MS leave such a big hole.[/i]

        Name one browser that doesn't have regular remote code execution vulnerabilities. There isn't one. MS left such a big hole because their developers are human, just like [url=http://www.opera.com/support/kb/view/865/] Opera's [/url]developers are human, [url=http://www.securident.com/vuln/ff.txt]Firefox's [/url] developers are human, and [url=http://www.juniper.net/security/auto/vulnerabilities/vuln28492.html] Apple's [/url] developers are human. That's how.
        NonZealot
        • I said you were looking the other way

          I do not see what your point is here. The issue is the seriousness of the problem, and this one was a very big problem. MS has no option but to break their update cycle or risk more stories in the press saying you can not use IE. The issue of the regular MS patch cycle is irrelevant to this story.


          I also have an issue of you saying well MS developers are human and everyone has the same problem. In this instance clearly not. I choose to use Firefox partly because it gets less attacks than IE but if Firefox has a problem I do not excuse it on the grounds IE may have the same issue.
          martin23
          • I agree...

            ...but I think his point is that MS should be applauded for doing this and recognising the seriousness of the issue.

            The question is "would the other browser vendors?" I suspect yes, but time will tell.
            Sleeper Service
          • Applauded for what?

            Doing the job they were supposed to be doing? Are you kidding?

            Not to be outdone but Mozilla just released 3.0.5 yesterday and there was no press, no brass bands, no la-te-da. Doing the job Firefox users have come to expect over the years.

            So puh-leaseee... Spare us your pats on the back, k?
            hasta la Vista, bah-bie
          • Except it took Mozilla...

            ...twice as long to release the patch for Greasemonkey as it did for MS to release this patch.

            :)
            Sleeper Service
          • And you're complaining about one patch?

            For an extension, no less?

            Boy, you shills are really scraping the bottom of the barrel here today...

            BWHAW HAW HAW HAW... :D
            hasta la Vista, bah-bie
        • I can't believe I'm reading this

          [i]But that's my point. The ABMers said that MS's monthly patch cycle is terrible because MS will sit on a patch until the next patch Tuesday. MS does have an option to sit on a patch but they didn't, thus destroying the ABMer's primary attack against a monthly patch cycle.[/i]

          :o

          Oh ok, so twice in the last 10 or 20 years or so, they deviated from their normal business as usual schedule and got off their_asses when the press caused a stink. 2 patches out of how many?

          Again, you think their record of reaction times to threats is something to be proud of?
          hasta la Vista, bah-bie
    • This is ALWAYS good info to know...

      "If it limits the impact of the vulnerability to the point where the exploit can't install back doors or steal your password then this would be good information to know. If it doesn't limit the impact of the vulnerability then this would also be very good information to know. "

      I know its fun and all to bash the various platforms but this above is the real point that many overlook when tossing out vulns.
      storm14k
  • Protected Mode mitigates attacks, doesn't stop them

    Protected Mode means that if this exploit is used against IE 7 (or 8) on Vista in Protected Mode, the code injected into IE is limited in what it can do.

    Without protected mode, it can do anything a standard user account can do without elevating to admin privileges. That is, it can read and write user data, but not overwrite system files or affect other users' data.

    With protected mode, it cannot write to user data, so it cannot corrupt your documents, add start-up programs, install malware, or do anything like that.

    But even in protected mode, it can still read your data and transmit it back to the attacker, or likely could display misleading UI in the IE window that is attacked, or possibly use your computer as a bot for a DoS attack or something. So while the attack is mitigated, it can still be quite dangerous in a variety of ways.

    That's why Microsoft has never said and will never say that Protected Mode is a solution to these problems, but it is a very substantial and thus far quite successful mitigation, and a great example of a defense-in-depth philosophy.
    threedaysdwn
    • Slight correction: without protected mode, it has whatever rights you have

      "Without protected mode, it can do anything a standard user account can do without elevating to admin privileges."

      It's important to note that is only true if you are a standard user (or protected admin on Vista, the default). If you're a full administrator (the default on XP, and in Vista if UAC is disabled), then the exploit does have those same administrator privileges.
      PB_z