Exploit Rocks IE, Downloads Scores Of Spyware, Adware

The exploit has so far shown up on hard-core porn sites, which are serving up a buffet of badware to visitors. It's thought to be related to WebAttacker, a multi-exploit attack "kit" created by a Russian group that sells for as little as $15 to $20.
Virtually every security organization raised the alarm, including US-CERT, the federal cyber-alert agency, which issued a warning just before noon EDT.

And that's a good idea, said Ollmann of ISS. "This vulnerability lies within code that's shared by a large number of Microsoft products, so it has a much wider footprint of attack than other recent zero-day vulnerabilities.

"This is the kind of exploit that we see in IE only once every two or three months."

In fact, the last time that an unpatched bug in IE was widely used to distribute a broad range of malware was in March, when the CreateTextRange bug was used by scores of malicious sites to seed PCs with spyware and adware.

The attacks could also get worse. "With the nature of VML, attackers could embed this exploit inside e-mail," Ollmann said. A user who only viewed an HTML-based message would succumb to the attack, he added.

Microsoft's only advice to users was to keep their anti-virus software up to date, and not to surf to "untrusted" sites or open suspicious e-mail messages. Sunbelt, ISS, and other security vendors suggested that users could protect themselves against the current exploit by disabling JavaScript.

But even that might not work for long. "JavaScript isn't required for this exploit to work," said Ollmann. "It would be a trivial change to make it work without Java."

The VML vulnerability is the second unpatched flaw in IE that has been disclosed in the last five days. On Friday, researchers warned of a bug in IE's handling of an ActiveX control included with Windows.

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
John Abel, Technical Director, Google Cloud
Cynthia Harvey, Freelance Journalist, InformationWeek
Christopher Gilchrist, Principal Analyst, Forrester
Cynthia Harvey, Freelance Journalist, InformationWeek