Malware pushers already using zero-day exploit

Malware pushers already using zero-day exploit

Summary: Yesterday the news hit about another zero-day exploit for Internet Explorer with code publicly available and today the malware pushers are already using it.

SHARE:
TOPICS: Malware
4

Yesterday the news hit about another zero-day exploit for Internet Explorer with code publicly available and today the malware pushers are already using the exploit. George Ou has a good post about the exploit including instructions on how to turn off active scripting for home users and for all computers in a domain.

The Secunia advisory here says:

The vulnerability is caused due to an error in the processing of the "createTextRange()" method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.

This vulnerability has been confirmed on a fully patched Windows XP SP 2 system running Internet Explorer 6 and affects IE 7 Beta 2 preview released in January.  Other versions may be affected. AFAIK Firefox, Mozilla, Opera and not affected. Microsoft advisory here.

SANS has raised InfoCON to yellow. Ed Skoudis wrote:

At the urging of Handler Extraordinaire Kyle Haugsness, I tested the sploit on a box with software-based DEP and DropMyRights... here are the results:

Software-based DEP protecting core Windows programs: sploit worked
Software-based DEP protecting all programs: sploit worked
DropMyRights, config'ed to allow IE to run (weakest form of DropMyRights protection): sploit worked
Active Scripting Disabled: sploit failed

So, go with the last one, if you are concerned.  By the way, you should be concerned.

Security and spyware researchers have already seen sites in the wild running this exploit. Some appear to be hacked sites using iframes. Network admins and ISPs are being notified. One such hacked site was downloading a keylogger.

For Windows users -- even if you use Firefox or Opera, I recommend you disable active scripting because a lot of apps will cause IE to open. If you disable active scripting, you might need to put some sites in your Internet Explorer trusted sites zone for certain features to work.

Update 5:40 PM: Websense is reporting a rapid increase in sites using this exploit. At the time of the blog post, nearly unique 100 URLs  had been found attempting to run this exploit. There is also suspicion that web server expliots are being used to compromise sites intended to be used to run the IE exploit. Travel related websites and sites using phpBB are mentioned.

Network/sys admins, webhosting companies and webmasters -- *please* secure your web servers!  I've read some shocking evidence of lack of knowledge regarding security of web servers, mostly Apache servers, on various webhosting and webmaster forums.  It's truly frightening.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Suzi, a small correction...

    the "createTextRange()" flaw <b>doesn't<b> affect IE7 beta 2. The flaw that affects IE7 beta 2 is an entirely different beast:

    http://blogs.zdnet.com/Ou/?p=176

    The only workaround for that flaw, for now, is to use an alternate browser.
    Tony Agudo
    • Oops...

      forgot to put a &lt;/b&gt; to terminate the boldface. My bad!
      Tony Agudo
    • Secunia

      The secunia advisory says:

      "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected.

      2006-03-24: Added link to Microsoft advisory. Added CVE reference. Added additional versions of Internet Explorer as affected."

      http://secunia.com/advisories/18680/

      The March edititon of IE7 beta 2 is not affected by this one, but the January release is. At least that's how I read it.
      Suzi_z
      • Oh, okay. Thanks for clarifying!

        (nt)
        Tony Agudo