Third-Party IE Patches Moving Fast As Spam Attack Starts - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
3/30/2006
05:44 PM
50%
50%

Third-Party IE Patches Moving Fast As Spam Attack Starts

A spokesperson for eEye Digital Security said its workaround had been downloaded by more than 94,000 users, while another security vendor warned that attackers were drawing people to malicious Web sites that exploit the flaw.

Tens of thousands of Internet Explorer users aren't waiting for Microsoft Corp. to provide a patch for the critical bug in their browser, and have instead installed unsanctioned fixes from security companies.

On Thursday, a spokesperson for eEye Digital Security said that its workaround had been downloaded by more than 94,000 users, while another security vendor warned that attackers were drawing people with a large-scale spam campaign to malicious Web sites which exploit the flaw.

The vulnerability is in IE's processing of the "createTextRange()" JavaScript method call, and is currently being exploited by hundreds of Web sites, including legitimate sites that have been compromised by hackers. Security organizations have tagged the zero-day bug with "extremely critical" labels, and Microsoft has promised it will patch the flaw no later than April 11, its next regularly-scheduled update.

As in the Windows Metafile (WMF) vulnerability and outbreak of December and January, others have stepped in where Microsoft has been unable to tread. Then, independent researcher Ilfak Guilfan created an unsanctioned patch for the problem. This time, two companies, eEye Digital Security of Aliso Viejo, Calif. and Redwood City, Calif.-based Determina, have proffered patches.

Determina was not able to provide a tally of the number of users who have downloaded its fix.

If the createTextRange saga takes the same line as the WMF vulnerability, Microsoft may feel pressured to release a patch "out-of-cycle," or before the April 11 update.

But Marc Maiffret, co-founder of eEye, doesn't think that will happen. "They run a risk if they rush it out," said Maiffret. "That would be the worst case scenario, so I think they'll end up putting it out on the 11th."

On Wednesday, Mike Nash, the head of Microsoft's security efforts, didn't hint at any rush, although he left the door open to an out-of-cycle fix.

"The good news here is that we are on a path to include the fix for the zero day vulnerability as part of the April [11] IE cumulative security update and possibly sooner if our ongoing monitoring and analysis of attempts to exploit vulnerability shows customers are being impacted seriously," Nash wrote on the Microsoft Security Response Center blog.

There's less need for speed this time than in January, Maiffret said, noting that unlike with the WMF bug, there is a workaround for createTextRange: disabling IE's Active Scripting.

But Dan Hubbard, senior director of security and research at Websense, said there was some urgency.

The exploit is now being distributed in a massive e-mail spam campaign, he said, using messages posing as links to BBC stories about the U.S. dollar's problems standing firm against the euro and yen. The San Diego-based company posted an advisory Thursday that includes a screenshot of one such e-mail.

"Click on a link and it takes you to the exploit code," said Hubbard. Websense's research, he said, has found that the group spamming the attack was also behind similar attacks that played off fears of the avian flu and the news of the death of Serbian strongman Slobodan Milosevic. Like those earlier attacks, the newest uses a vulnerability to secretly install a variety of malicious software on users' PCs. "It started with bots, then moved to spyware, and now is installing banking keyloggers," Hubbard said.

Although attacks using the createTextRange exploit aren't as widespread as when sites latched onto the WMF flaw late last year, Hubbard said that the worst may still be to come. Websense was watching for signs of an escalation that could dramatically boost the number of sites using the exploit.

"We're watching for a wider spread," said Hubbard, who added that Websense is in frequent contact with Microsoft. "But sometimes waiting for something is dangerous."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
Commentary
Enterprise Guide to Multi-Cloud Adoption
Cathleen Gagne, Managing Editor, InformationWeek,  9/27/2019
Commentary
5 Ways CIOs Can Better Compete to Recruit Top Tech Talent
Guest Commentary, Guest Commentary,  10/2/2019
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll