02:42 PM

Exploit Rocks IE, Downloads Scores Of Spyware, Adware

The exploit has so far shown up on hard-core porn sites, which are serving up a buffet of badware to visitors. It's thought to be related to WebAttacker, a multi-exploit attack "kit" created by a Russian group that sells for as little as $15 to $20.

An unpatched vulnerability in all editions of Microsoft's Internet Explorer browser is being exploited, security researchers said Tuesday, with the attack dumping a broad range of adware, spyware, and Trojans onto PCs whose users simply surf to an infected or malicious site.

First reported by Sunbelt Software -- although rival Internet Security Systems claimed it was the first to discover the bug -- the vulnerability is in how IE renders VML (Vector Mark-up Language), an extension of XML that defines on-the-Web images in vector graphics format. The previously unknown -- and thus unpatched -- bug inside IE is already being used by attackers.

So far, said Eric Sites, vice president of research and development at Sunbelt, the exploit has shown up on hardcore porn sites, which are serving a buffet of badware to users who visit those sites.

"First they were pushing Virtumondo adware," said Sites, "but by late afternoon yesterday, these sites were distributing more than 40 different types of malware, including keyloggers, adware, and backdoors."

The new exploit seems to have a connection to WebAttacker, an multi-exploit attack "kit" created by a Russian group that sells for as little as $15 to $20. "We think that this new exploit is inside a new [version of the] kit," said Sites. "If that's true, then it will end up all over the place."

Sites said he expects that the exploit will migrate to one of the so-called "iframe cash" sites -- the term comes from the site -- which use affiliates to push unpatched exploits to a large number of other Web sites, some of which are legitimate addresses whose servers have been previously compromised.

"This could end up being in lots and lots of places," said Sites.

Other researchers spotted the exploit on popular shared hosting distribution sites. The current in-the-wild exploit generates a stack overflow as soon as the user views an HTML page; once that happens, the attacker can push whatever code he wants onto the PC. "We're seeing this on dozens of different sites," said Gunter Ollmann, the director of Internet Security Systems' X-force research lab.

Both Sunbelt and ISS have confirmed that the exploit works against a fully-patched version of IE 6 running on Windows XP SP2. Ollmann also said that earlier editions, including 5.01, can be successfully breached, and that IE 7, Microsoft's under-construction next-generation browser, is "likely" at risk.

Late Tuesday morning, Microsoft acknowledged the bug, and said it was working on a fix. "The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted," a spokesman said.

Shortly after that, Microsoft posted a security advisory that offered several workarounds in lieu of a patch, including setting the kill bit for the vulnerable .dll and disabling scripting behaviors in the browser.

1 of 2
Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
Increasing IT Agility and Speed To Drive Business Growth
Learn about the steps you'll need to take to transform your IT operation and culture into an agile organization that supports business-driving initiatives.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.