madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

IE zero-day attack surface expands

By | December 12, 2008, 12:24pm PST

Summary: The attack surface for password-stealing Trojans currently targeting an unpatched flaw in Microsoft’s Internet Explorer has expanded to include all versions of the browser, including the newest IE 8 Beta 2. Microsoft released an updated advisory to warn that the underlying flaw affects much more than IE 7 and to spread the word about additional workarounds [...]

IE zero-day attack surface expandsThe attack surface for password-stealing Trojans currently targeting an unpatched flaw in Microsoft’s Internet Explorer has expanded to include all versions of the browser, including the newest IE 8 Beta 2.

Microsoft released an updated advisory to warn that the underlying flaw affects much more than IE 7 and to spread the word about additional workarounds that can help limit the damage from actual attacks.

Here’s how your protect yourself in the interim:

[ SEE: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks ]

Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones:

  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
  3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.  If no slider is visible, click Default Level, and then move the slider to High.

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone:

  1. In Internet Explorer, click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Internet, and then click Custom Level.
  4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  5. Click Local intranet, and then click Custom Level.
  6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  7. Click OK two times to return to Internet Explorer.

Enable DEP for Internet Explorer 7

  1. In Internet Explorer, click Tools, click Internet Options, and then click Advanced.
  2. Click Enable memory protection to help mitigate online attacks.

(NOTE: Some browser extensions may not be compatible with DEP and may exit unexpectedly. If this occurs, you can disable the add-on, or revert the DEP setting using the Internet Control Panel. This is also accessible using the System Control panel).

Microsoft’s latest advisory also includes technical instructions on how to use ACL to disable OLEDB32.DLL, how to Unregister OLEDB32.DLL and how to Disable Data Binding support in Internet Explorer 8.

IE users should bear in mind that there’s a growing list of exploitive sites taking aim at this vulnerability and now that the exploit code is publicly available, the threat will certainly grow in the coming days and weeks.

Until Microsoft can issue a patch — out-of-cycle or otherwise — you should consider using an alternative browser like Mozilla Firefox or Opera.   If you must use Internet Explorer, be sure to securely configure the browser with the mitigations described above.

* Image source: hashmil’s Flickr photostream (Creative Commons 2.0).

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Microsoft Internet Explorer, Web Browser, Zero-day Bug, Web Browsers, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 39 Talkback(s)

  • re: IE zero-day attack surface expands
    What a pathetic situation.

    This goes across two versions of IE, and Microsoft hasn't issued an emergency patch for it?

    Thanks for the advice to go to Firefox or Opera...if you're smart you'll never go back to IE again.

    Typical Microsoft.
    ZDNet Gravatar
    itanalyst2@...
    12th Dec 2008
  • RE: IE zero-day attack surface expands
    Would you rather have an untested patch that nails your system?

    The websites seen in the attack are overseas and I don't see my users surfing to them.

    Quite frankly, it's pathetic when we freak out when it may not be warranted to do so.

    I don't see DEP as a good mitigation as it's only in Vista and I've seen a metasploit that bypasses DEP.
    ZDNet Gravatar
    Bitzie
    12th Dec 2008
  • Actually, DEP is in
    Windows XP as well.... it's just disabled by default in Windows XP because a lot of programs have a problem with the implementation of DEP in Windows XP.
    ZDNet Gravatar
    Lerianis
    13th Dec 2008
  • RE: IE zero-day attack surface expands
    Make a new shortcut to IE6 or IE7 using dropmyrights and name it Safe Internet Explorer. You can even change the icon to that of IE. Delete old internet explorer icons on desktop.
    Best solution I've found so far
    ZDNet Gravatar
    zmud
    13th Dec 2008
  • Essentially a non-issue for IE7 on Vista.
    With protected mode and the default user lacking
    administrative privileges this code is essentially harmless. If
    you were looking for a reason why you should upgrade to
    Vista this is another example.
    ZDNet Gravatar
    ye
    13th Dec 2008
  • Translation: "Go buy a new PC now!"
    There no such thing as a problem that can't be solved by just throwing more money at it, eh ;-)?
    ZDNet Gravatar
    Zogg
    14th Dec 2008
  • Sometimes you just have to move on.
    And with new PCs costing a mere $270:

    http://www.microcenter.com/single_product_results.phtml?product_id=0291809

    you gain much more than an upgrade to the OS.
    ZDNet Gravatar
    ye
    14th Dec 2008
  • Guess you haven't noticed
    the economy is in shambles, people are losing their jobs and homes. So how can you justify that $270.00 is reasonable to someone that needs their PC to look for a job since they have been out of one for several months already, their house is in foreclosure and whatever savings they had is long gone and their credit cards are no longer useful since they have to pay the remaining debt on those as well.

    And let not forget there massive trade deficit, and that (just did a quick search) the unemployment rate is 6.7% and rising, and the stock market is in chaos because the big three screwed up with poor business plans and are about to go down under chapter 11 (unless the current Socialist regime steps in and throws more tax payer money away in hopes of saving them). And of course let's not forget the banking industry that is still not loaning money and on the brink of collapse still. And then the 50 billion dollar ponzi scam that just surfaced. How many more of those are lurking out there?

    You're not being realistic ye. You aren't even looking at the big picture here. IF there was a real solution that is affordable, it would Linux on the existing hardware. The only cost is the CD/DVD, net time and burn, install time. Much more affordable than $270.00. devil
    ZDNet Gravatar
    Linux User 147560
    14th Dec 2008
  • Then they've got much larger problems than a vulnerability in IE.
    And as such I don't think this vulnerability is what's going to keep them awake at night.
    ZDNet Gravatar
    ye
    14th Dec 2008
  • Forgot alot of other costs
    Thats total crap, there will be allot more costs then just the DVD burn time or download. How about training time on the new OS? or how about new training for the software as well? Why is it that you Linux guys conveniently forget to say anything about training costs,which will cost more then 270.00 per person.
    ZDNet Gravatar
    Stan57
    15th Dec 2008
  • Why not mention
    training costs. Probably because you Microsoft guys forget to include the retraining costs for Microsoft's upgrades. From what I've seen those are worse than anything in Linux.
    ZDNet Gravatar
    Update victim
    15th Dec 2008
  • Linux is Magical
    That's exactly why people are running in droves to get it.
    ZDNet Gravatar
    tikigawd
    15th Dec 2008
  • Cause of economy collapse
    I guess you didn't notice the actual cause. it started with "The Economic Reinvestment Act of 1977" passed by the Democrat majority under Carter. This set the stage for the Sub-standard loans and the Adjustable Rate Mortgage traps that brought about the high number of foreclosures. Then Under Clinton the Democrats pushed Fannie Mae and Freddie Mac with threats of lawsuits because they had not moved enough money into the hands of those who were unable to repay. This was followed by preventing the responsible Congressmen and Senators from getting their bills to correct this passed or,since the Democrats gained control of the Senate, even having their bills discussed. Blame Harry Reid for this.

    The auto companies are victims just like us except for the UAW labor agreements that they agreed to when the congress prevented them from presenting a unified bargaining unit for these labor negotiations. Congress made it illegal for the companies that were not struck to lock out the labor even though there was no labor contract governing the situation.

    In their quest for UAW votes the congress set the rules for the auto company labor agreements that are a large part of the auto company problem.

    Just put the blame where it belongs. That is on the shoulders of the congress and senate. They are the nation's executives who failed us. They are also the ones who instituted our auto safety rules that prevent the importation of Ford's 73 MPG Fiesta from europe. But that's another story. Just keep the blame where it belongs, CONGRESS.
    ZDNet Gravatar
    Update victim
    15th Dec 2008
  • hahaha good one!
    "Just put the blame where it belongs. That is on the
    shoulders of the congress and senate. They are the
    nation's executives who failed us. They are also the ones
    who instituted our auto safety rules that prevent the
    importation of Ford's 73 MPG Fiesta from europe. But
    that's another story. Just keep the blame where it belongs,
    CONGRESS."

    read some history------ try
    http://mises.org/books/historyofmoney.pdf
    As long as the "Keynesian Economists" are running the
    show you are lost......
    ZDNet Gravatar
    vilppuu@...
    17th Dec 2008
  • But...
    How could they afford the internet connect? and how much longer is the ISP going to be in business?

    Oh NO!!!! run for your lives!!!

    At this point I don't think Linux or Windows is on alot of people's minds.

    Me... I'm investing in Ruger and a crate of ammo. Deer tastes better then IBM.
    ZDNet Gravatar
    ShadowGIATL
    15th Dec 2008
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here