Third-Party IE Patches Moving Fast As Spam Attack Starts - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:44 PM

Third-Party IE Patches Moving Fast As Spam Attack Starts

A spokesperson for eEye Digital Security said its workaround had been downloaded by more than 94,000 users, while another security vendor warned that attackers were drawing people to malicious Web sites that exploit the flaw.

Tens of thousands of Internet Explorer users aren't waiting for Microsoft Corp. to provide a patch for the critical bug in their browser, and have instead installed unsanctioned fixes from security companies.

On Thursday, a spokesperson for eEye Digital Security said that its workaround had been downloaded by more than 94,000 users, while another security vendor warned that attackers were drawing people with a large-scale spam campaign to malicious Web sites which exploit the flaw.

The vulnerability is in IE's processing of the "createTextRange()" JavaScript method call, and is currently being exploited by hundreds of Web sites, including legitimate sites that have been compromised by hackers. Security organizations have tagged the zero-day bug with "extremely critical" labels, and Microsoft has promised it will patch the flaw no later than April 11, its next regularly-scheduled update.

As in the Windows Metafile (WMF) vulnerability and outbreak of December and January, others have stepped in where Microsoft has been unable to tread. Then, independent researcher Ilfak Guilfan created an unsanctioned patch for the problem. This time, two companies, eEye Digital Security of Aliso Viejo, Calif. and Redwood City, Calif.-based Determina, have proffered patches.

Determina was not able to provide a tally of the number of users who have downloaded its fix.

If the createTextRange saga takes the same line as the WMF vulnerability, Microsoft may feel pressured to release a patch "out-of-cycle," or before the April 11 update.

But Marc Maiffret, co-founder of eEye, doesn't think that will happen. "They run a risk if they rush it out," said Maiffret. "That would be the worst case scenario, so I think they'll end up putting it out on the 11th."

On Wednesday, Mike Nash, the head of Microsoft's security efforts, didn't hint at any rush, although he left the door open to an out-of-cycle fix.

"The good news here is that we are on a path to include the fix for the zero day vulnerability as part of the April [11] IE cumulative security update and possibly sooner if our ongoing monitoring and analysis of attempts to exploit vulnerability shows customers are being impacted seriously," Nash wrote on the Microsoft Security Response Center blog.

There's less need for speed this time than in January, Maiffret said, noting that unlike with the WMF bug, there is a workaround for createTextRange: disabling IE's Active Scripting.

But Dan Hubbard, senior director of security and research at Websense, said there was some urgency.

The exploit is now being distributed in a massive e-mail spam campaign, he said, using messages posing as links to BBC stories about the U.S. dollar's problems standing firm against the euro and yen. The San Diego-based company posted an advisory Thursday that includes a screenshot of one such e-mail.

"Click on a link and it takes you to the exploit code," said Hubbard. Websense's research, he said, has found that the group spamming the attack was also behind similar attacks that played off fears of the avian flu and the news of the death of Serbian strongman Slobodan Milosevic. Like those earlier attacks, the newest uses a vulnerability to secretly install a variety of malicious software on users' PCs. "It started with bots, then moved to spyware, and now is installing banking keyloggers," Hubbard said.

Although attacks using the createTextRange exploit aren't as widespread as when sites latched onto the WMF flaw late last year, Hubbard said that the worst may still be to come. Websense was watching for signs of an escalation that could dramatically boost the number of sites using the exploit.

"We're watching for a wider spread," said Hubbard, who added that Websense is in frequent contact with Microsoft. "But sometimes waiting for something is dangerous."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll