Third-Party IE Patches Moving Fast As Spam Attack Starts - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:44 PM

Third-Party IE Patches Moving Fast As Spam Attack Starts

A spokesperson for eEye Digital Security said its workaround had been downloaded by more than 94,000 users, while another security vendor warned that attackers were drawing people to malicious Web sites that exploit the flaw.

Tens of thousands of Internet Explorer users aren't waiting for Microsoft Corp. to provide a patch for the critical bug in their browser, and have instead installed unsanctioned fixes from security companies.

On Thursday, a spokesperson for eEye Digital Security said that its workaround had been downloaded by more than 94,000 users, while another security vendor warned that attackers were drawing people with a large-scale spam campaign to malicious Web sites which exploit the flaw.

The vulnerability is in IE's processing of the "createTextRange()" JavaScript method call, and is currently being exploited by hundreds of Web sites, including legitimate sites that have been compromised by hackers. Security organizations have tagged the zero-day bug with "extremely critical" labels, and Microsoft has promised it will patch the flaw no later than April 11, its next regularly-scheduled update.

As in the Windows Metafile (WMF) vulnerability and outbreak of December and January, others have stepped in where Microsoft has been unable to tread. Then, independent researcher Ilfak Guilfan created an unsanctioned patch for the problem. This time, two companies, eEye Digital Security of Aliso Viejo, Calif. and Redwood City, Calif.-based Determina, have proffered patches.

Determina was not able to provide a tally of the number of users who have downloaded its fix.

If the createTextRange saga takes the same line as the WMF vulnerability, Microsoft may feel pressured to release a patch "out-of-cycle," or before the April 11 update.

But Marc Maiffret, co-founder of eEye, doesn't think that will happen. "They run a risk if they rush it out," said Maiffret. "That would be the worst case scenario, so I think they'll end up putting it out on the 11th."

On Wednesday, Mike Nash, the head of Microsoft's security efforts, didn't hint at any rush, although he left the door open to an out-of-cycle fix.

"The good news here is that we are on a path to include the fix for the zero day vulnerability as part of the April [11] IE cumulative security update and possibly sooner if our ongoing monitoring and analysis of attempts to exploit vulnerability shows customers are being impacted seriously," Nash wrote on the Microsoft Security Response Center blog.

There's less need for speed this time than in January, Maiffret said, noting that unlike with the WMF bug, there is a workaround for createTextRange: disabling IE's Active Scripting.

But Dan Hubbard, senior director of security and research at Websense, said there was some urgency.

The exploit is now being distributed in a massive e-mail spam campaign, he said, using messages posing as links to BBC stories about the U.S. dollar's problems standing firm against the euro and yen. The San Diego-based company posted an advisory Thursday that includes a screenshot of one such e-mail.

"Click on a link and it takes you to the exploit code," said Hubbard. Websense's research, he said, has found that the group spamming the attack was also behind similar attacks that played off fears of the avian flu and the news of the death of Serbian strongman Slobodan Milosevic. Like those earlier attacks, the newest uses a vulnerability to secretly install a variety of malicious software on users' PCs. "It started with bots, then moved to spyware, and now is installing banking keyloggers," Hubbard said.

Although attacks using the createTextRange exploit aren't as widespread as when sites latched onto the WMF flaw late last year, Hubbard said that the worst may still be to come. Websense was watching for signs of an escalation that could dramatically boost the number of sites using the exploit.

"We're watching for a wider spread," said Hubbard, who added that Websense is in frequent contact with Microsoft. "But sometimes waiting for something is dangerous."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll