Internet Explorer 'feature' causing drive-by malware attacks

Internet Explorer 'feature' causing drive-by malware attacks

Summary: My colleague at Kaspersky Lab Roel Schouwenberg (see disclosure) has discovered a drive-by malware download taking advantage of what Microsoft describes as an Internet Explorer "feature" to launch cross-site scripting attacks.The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

SHARE:

Internet Explorer ‘feature’ causing drive-by malware attackMy colleague at Kaspersky Lab Roel Schouwenberg (see disclosure) has discovered a drive-by malware download taking advantage of what Microsoft describes as an Internet Explorer "feature" to launch cross-site scripting attacks.

The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

Schouwenberg (left) said he reported the vulnerability to Microsoft a long time ago, warning the company that JavaScript embedded into GIF files can be executed under certain circumstances.  Microsoft disagreed and the issue was never patched.

Fast forward to the latest site compromise -- on a high traffic Web site -- where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site.  (The malicious site is currently offline but there's evidence that it's tied to ID-theft attacks).

"This is a step more advanced than today's very common Web site compromises where some JavaScript gets added to the main page," Schouwenberg said.  In this case, a "view source" at the compromised site will not reveal any malicious code, making swift analysis harder.

Schouwenberg has contacted Microsoft again to reconsider its position on this issue.

Topics: Browser, Malware, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments
Log in or register to join the discussion
  • No surprise here

    Ever single vulnerability in IE is due to a built in feature.

    In fact, IE itself can be considered a "zero day" attack friendly vector. The primary point of failure in IT security.
    wackoae
    • What he said :)

      NT
      mrOSX
    • Blah Blah Blah

      Every other browser other than IE is immune to any and all attacks. Yah whatever. Keep telling yourself that nutjob.
      jackbond
      • Who is the nutjob?

        Refute his point. IE has the EXTRA and seamless attack vector due to it's embedded in the OS components to offer ease of use and extra features. FF, Safari and Opera to name 3 don't have this extra conduit to exploit.

        TripleII
        TripleII-21189418044173169409978279405827
        • Of course not..

          Safari just carpet-bombed you to death until last week.
          croberts
          • I've been using Safari for quite sometime now

            & have yet to be hit with this so called carpet-bombing. I
            wonder if it has anything to do with me using OS X on a PPC.
            <BR>
            Just a thought,,,
            </BR>
            <BR>
            "In a world without walls & fences, who needs windows &
            gates?
            </BR>
            Intellihence
          • Safari users shouldn't feel safe

            "I've been using Safari for quite sometime now & have yet to be hit with this so called carpet-bombing. I wonder if it has anything to do with me using OS X on a PPC."

            No, the bug has nothing to do with one's chip instruction set. You've just been lucky, that's all. I use Firefox with the NoScript plug-in, which is about the best you can do on today's web - even though I'm on OS X.
            Ed Lin
    • No surprise at all.

      [i]In fact, IE itself can be considered a "zero day" attack friendly vector. The primary point of failure in IT security.[/i]

      Precisely correct. Can't say it better.

      As an IT pro, I see this daily.

      It's actually pathetic. How many months usually go by between patches for critical (as in system-takeover) flaws in IE? I can tell you. One. And that's only because Microsoft has forced patches into a monthly pattern, and often lumps multiple fixes into single patches. They'd be more frequent otherwise.

      IE is heavily entagled with the same processes (explorer, etc) that give the user command-and-control of the system. I'm beginning to suspect it [i]can't[/i] be made secure. Using IE to browse the Web is like using your hair to fan a fire. You gonna get burnt.
      DrewBuck
  • what version?

    what version?
    qmlscycrajg
    • Another with the same question...

      While I respect you expertise it seems that your titles are becoming more on how many hits you can get rather then pointing out and then diseminating information on what we need to focus on here and now.

      Kinda like saying that "A new Windows bug has just been discovered that is 100% exploitable" and never mentioning its only Win95.
      Shayd
      • IE 6, IE 7, and IE 8 beta 1

        more on this
        http://blogs.zdnet.com/security/?p=1370
        balaknair
  • RE: Internet Explorer 'feature' causing drive-by malware attacks

    [i]taking advantage of what Microsoft describes as an Internet Explorer [b]"feature"?[/b] [/i]

    Now that's funny. Whenever my friends and I would come across a bug, we'd sarcastically call it a "feature" too. lol
    Badgered
    • OK,

      so maybe they shouldn't call it a "Feature".

      Let's just call it "An Undocumented Enhancement".
      Cardinal_Bill
  • Get a haircut Hippie (kidding)

    No more pictures like that--you are scaring me.
    D T Schmitz
    • i hear that

      thats funny.. i was thinking the same thing! lol
      adamjames
  • MS Security: "What, me worry?"

    They are the Alfred E. Neuman's of the security community as they just don't care.
    When they do show interest in a vulnerability you have to just about do their job to get them to understand it.
    Then when they issue a patch they just open up another vulnerability.

    It's all a part of MS Trustworthy Initiative.
    dunn@...
  • RE: Internet Explorer 'feature' causing drive-by malware attacks

    Not a big deal. Users only go to the same 6 websites anyway and those are popular and trusted sites which do not get infected nor provide malware. You will see a very small amount of people who will be affected by this, and they were most likely searching for some obscure phrase which led them to a malicious site (by google no doubt) and received the malware. Microsoft will have a fix posted soon enough.
    Loverock Davidson
    • Mike Cox...

      ...you are not. And if you're serious then this is about the silliest thing I've heard today.
      storm14k
    • Sorta wonder what are the other 4 sites you go to.

      Given that we already know that you go to ZDNet and Microsoft.
      B.O.F.H.
    • Where have you been lately L.D. ?

      We need you here more now than ever for the humor.



      "In a world without walls & fences, who needs windows &
      gates?"
      Intellihence