Internet Explorer Vulnerability Exploited Again - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Internet Explorer Vulnerability Exploited Again

Security experts say a Trojan horse directed traffic from popular Web sites to an IP address designated by the attacker.

Vulnerabilities in Microsoft's Internet Explorer Web browser have been exploited again, security experts said on Thursday, this time by a Trojan horse that redirected traffic from more than 100 popular Web sites to an IP address designated by the attacker.

The Trojan, dubbed Qhosts and Delude.B by various anti-virus vendors, redirected traffic on compromised machines from a large number of legitimate sites--primarily search engines, among them those found at AltaVista, Google, Lycos, MSN, and Yahoo. According to Computer Associates, requests to surf to those search sites were shunted instead to a Web site that was taken offline within 24 hours of the Trojan's appearance.

"This is another attempt by an attacker, probably the same attacker who wrote the original Delude Trojan earlier this month, to hijack Web sites and potentially profit from that redirection," said Ken Dunham, the director of malicious code for iDefense, a 5-year-old company that specializes in security intelligence and provides information to clients through partners such as British Telecom and Japan's Itochu Corp. "It's definitely another exploit of the vulnerabilities that still exist within Internet Explorer."

Qhosts is only the most recent exploit of Internet Explorer vulnerabilities. Starting last week, and continuing over the weekend, others commandeered AOL Instant Messenger accounts and downloaded code that forced users' computers to dial 900 numbers.

The flaw in Internet Explorer stems from a problem the browser has in correctly determining Object Types, and was thought to be patched by a fix that Microsoft released on Aug. 20. But that patch hasn't put a stop to attacks.

"Just by surfing the Web with Internet Explorer, attackers can install anything, at will, on your system and you won't even know it," said Dunham. By exploiting the vulnerabilities, "attackers can use any kind of HTML content to install a Trojan."

As of Thursday, Microsoft hasn't released an updated patch to close Internet Explorer's security holes. A Microsoft spokesman said the company "is investigating an exploit of a variation on a vulnerability originally patched in Microsoft Security Bulletin MS03-032. We will release a fix for this variation shortly."

Microsoft also recommended that users protect themselves against the newer exploits by changing Internet Explorer's security zone settings to prompt before running ActiveX controls, and although the original patch doesn't cover all the bases, install that fix nonetheless.

Most anti-virus vendors have released updated signature files that will trap Qhosts, and rated the vulnerability as moderate. Symantec Corp. ranked Qhosts as '2' in its 1-through-5 scale, while Network Associates labeled it as "low-profile."

Though Qhosts doesn't seem to be a particularly disruptive or damaging Trojan, and the destination site for its redirection was quickly shuttered--that could easily change, said Dunham.

"The possibilities are very large that a worm could come out of this exploit," he said, due to the tempting target that Internet Explorer makes and how easy it would be to wrap the exploit code into, say, a worm delivered by mass E-mail.

"An E-mail worm that takes advantage of this vulnerability could be devastating," Dunham said. While he doesn't have any direct evidence that a worm is imminent, Dunham did say that he's spotted code on hacker sites, including one based in Russia, indicating that attackers are working on such a worm.

Symantec, which released its six-month evaluation of vulnerabilities and threats on Wednesday, pointed to Internet Explorer as software that IT managers should monitor closely.

Users can protect Internet Explorer against attack, or at least mitigate those attacks, said Dunham, by following Microsoft's advice to disable ActiveX controls or prompt the user before running them. "But another idea is to use a non-vulnerable browser," such as Netscape Navigator, Mozilla, or Opera. The Internet Explorer vulnerability "will be a constant avenue of attack, so it's a good idea, and common sense, to have a multiple-browser setup, just in case," he said. "Enterprises could continue to use IE for trusted sites or internally, and another browser to reach external or questionable sites. It would be the best of both worlds."

Machines already infected with the Qhosts Trojan can be cleaned using a variety of anti-virus packages, or cleansed manually by editing the Windows Registry. Instructions for the latter can be found on several security sites.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll