Third-Party IE Patches Moving Fast As Spam Attack Starts
A spokesperson for eEye Digital Security said its workaround had been downloaded by more than 94,000 users, while another security vendor warned that attackers were drawing people to malicious Web sites that exploit the flaw.
Tens of thousands of Internet Explorer users aren't waiting for Microsoft Corp. to provide a patch for the critical bug in their browser, and have instead installed unsanctioned fixes from security companies.
On Thursday, a spokesperson for eEye Digital Security said that its workaround had been downloaded by more than 94,000 users, while another security vendor warned that attackers were drawing people with a large-scale spam campaign to malicious Web sites which exploit the flaw.
As in the Windows Metafile (WMF) vulnerability and outbreak of December and January, others have stepped in where Microsoft has been unable to tread. Then, independent researcher Ilfak Guilfan created an unsanctioned patch for the problem. This time, two companies, eEye Digital Security of Aliso Viejo, Calif. and Redwood City, Calif.-based Determina, have proffered patches.
Determina was not able to provide a tally of the number of users who have downloaded its fix.
But Marc Maiffret, co-founder of eEye, doesn't think that will happen. "They run a risk if they rush it out," said Maiffret. "That would be the worst case scenario, so I think they'll end up putting it out on the 11th."
On Wednesday, Mike Nash, the head of Microsoft's security efforts, didn't hint at any rush, although he left the door open to an out-of-cycle fix.
"The good news here is that we are on a path to include the fix for the zero day vulnerability as part of the April  IE cumulative security update and possibly sooner if our ongoing monitoring and analysis of attempts to exploit vulnerability shows customers are being impacted seriously," Nash wrote on the Microsoft Security Response Center blog.
There's less need for speed this time than in January, Maiffret said, noting that unlike with the WMF bug, there is a workaround for createTextRange: disabling IE's Active Scripting.
But Dan Hubbard, senior director of security and research at Websense, said there was some urgency.
The exploit is now being distributed in a massive e-mail spam campaign, he said, using messages posing as links to BBC stories about the U.S. dollar's problems standing firm against the euro and yen. The San Diego-based company posted an advisory Thursday that includes a screenshot of one such e-mail.
"Click on a link and it takes you to the exploit code," said Hubbard. Websense's research, he said, has found that the group spamming the attack was also behind similar attacks that played off fears of the avian flu and the news of the death of Serbian strongman Slobodan Milosevic.
Like those earlier attacks, the newest uses a vulnerability to secretly install a variety of malicious software on users' PCs. "It started with bots, then moved to spyware, and now is installing banking keyloggers," Hubbard said.
Although attacks using the createTextRange exploit aren't as widespread as when sites latched onto the WMF flaw late last year, Hubbard said that the worst may still be to come. Websense was watching for signs of an escalation that could dramatically boost the number of sites using the exploit.
"We're watching for a wider spread," said Hubbard, who added that Websense is in frequent contact with Microsoft. "But sometimes waiting for something is dangerous."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.