Microsoft Preps IE Flaw Fix; Sites Exploiting Bug Multiply
The software company is working on a fix for a flaw in Internet Explorer that security experts say is being used by a growing number of Web sites to install spyware on users' computers.
Microsoft Corp. on Monday said it was working on a fix for a flaw in Internet Explorer that security experts said was being used by a growing number of Web sites to install spyware on users' computers.
As of Monday, security firm Websense Inc. said the number of unique Web sites taking advantage of the vulnerability had remained at about 200 since Sunday, given that the number of sites taken down have been replaced with a roughly equal number of new sites. The overall number, however, were expected to grow over time.
An entry on the Microsoft Security Response Center blog said the company was seeing "only limited attacks." Nevertheless, Microsoft was working on a fix that would be ready at least by April 11, the next regularly scheduled patch day, if not sooner.
"The IE team has the update in process right now and if warranted we'll release that as soon as it's ready to protect customers," the posting said.
The vulnerability enables hackers to exploit active scripting in IE to install keystroke loggers and other malicious software. Active scripting is a Microsoft technology that allows different software components to interact over the Internet.
Dan Hubbard, senior director of security at Websense said he believed a "limited number" of people or groups were exploiting the flaw, since malicious code on the sites was similar. Others, however, were expected to follow.
"We do believe that additional attacks will occur with different payloads," Hubbard said in an email.
The flaw, which is in IE 5.01, 6.0, and the January version of IE 7 Beta 2 Preview, was serious enough to prompt security vendor Symantec Corp. to raise its "Internet Threat Meter" for Web activities to "medium risk."
Microsoft recommended that customers who believe their machines may have been infected should visit the company's Windows Live Safety Center to have their machines scanned and the malware removed.
Security experts, however, recommended that people visit sites they know are safe, or use another browser, such as Firefox from the Mozilla Corp.
The unpatched vulnerability was first disclosed last Wednesday, raising alarms from security companies even before the first Web site exploiting the flaw was found. The SANS Institute's Internet Storm Center, for example, lifted its InfoCON level to "yellow" for the first time since late December when another zero-day flaw hit Windows users.
The Windows Metafilebug spawned hundreds of sites that used the flaw to load spyware, including keystroke loggers and backdoor Trojans, onto users' PCs.
In the latest CreateTextRange bug, security experts believe hackers would most likely use spam to lure people to sites capable of installing malware.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.