Web Site Attacks Against Unpatched IE Flaw Spike

An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."

Re:linking=vouching for

[delirium28]

From TFA:

More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.

Here we go again....

[beheaderaswp]

Sometimes one wonders how Microsoft maintains it's customer base in the face of these kinds of security problems. It's truly scary. And I don't need a refresher in the market forces at work.

Over on the linux, and alternative browser side, where I live, I see patches coming out very quickly for any kind of exploit.

Sadly, the patch for the new IE flaw is scheduled for April 11th? This is according to a BBC report here:

http://news.bbc.co.uk/2/hi/technology/4849904.stm

Can't they do better than that? How about an emergency patch, followed by a fully tested one? Just something to knock the vulnerability into non-functional status? Hey, it's fine if the patch is imperfect- I'll beta test to save my banking information. Really.

I suppose I wouldn't have a problem with Microsoft's monopoly if they actually service me as a customer well enough that they deserved a monopoly position. I like a lot of their software. But these kinds of security issues need to be addressed better and faster.

Ironically, I pay a lot less for my linux servers and get better responses for both support and patches. That makes a difference to me.

Re:Ugh

[Valdrax]

Normally, I let my sig do all the griping for me, but this is really bad. It look me three tries to understand what the title was saying. Try the following for maximum clarity:

"Website Attacks Against Unpatched IE Flaw Spike"

Actually, this would be even clearer if you put the verb before the prepositional phrase:
"Website Attacks Spike Against Unpatched IE Flaw"

It's unclear because both "spike" and "flaw" can be verbs or nouns, and the broken "unpatch" disrupts our ability to smoothly interpret the rest of the sentence thanks to turning an adjective into a present tense verb.

(I know I'm not perfect by a long shot on spelling and grammar, but it's not my job to post legibly on Slashdot.)

Keep an eye on this one..

[Dynamoo]

If you're an admin of machines running IE then it will be worth keeping an eye on this one. The best place is the Internet Storm Center which usually updates several times a day and links to other sites of interest. (Be sure to check the diary archive).

This is a little like the WMF flaw that became known just after Christmas. Eventually MS had to provide an out-of-cycle patch (even if it was just a few days early) because of the bad press they were getting. From the looks of things, the patch for this one will be ready soon too.. so any kind of noise you can make to get an early release would be a Good Thing.

Yeah yeah, MS will get a lot of flak from Slashdotters on this, but you should bear in mind that they also provide some decent patching tools like WSUS for administrators to roll these things out. Personally, I never use IE on my Windows box, but I'm afraid it's still a fact of life in most large businesses.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Not really

[WindBourne]

You are making the assumption that attacks come after the most popular software. If you read the interviews with the coders (not the SKs that will grab, slightly mod, and release them), you will find that they rarely go after code due to popularity. They go after code because it is so simple to do so. Basically, Windows, IE, Outlook, and IIS are just so easy to attack.

In fact, if MS is successful in creating an OS and set of apps that are more secure than the others, it will mean that Linux, BSD, Mac, and other *nix will be the target. Statisically and historically, I seriously doubt that MS can do it, but they appear to be doing the right thing.

DISABLE ACTIVEX!!!

[erroneus]

For crying out loud, that's probably like 99% of MSIE's vulnerability. I know it's one of Microsoft's "gems" and one of its primary tools to keep the competition locked out the areas they currently control, but it's seemingly forever the access point to evil-doers' access to peoples computers. Disabling ActiveX is almost always if not entirely the answer to the problem in the short term.

I don't know what the best answer should be for those who need to use activex in the meantime... I guess it's kinda like smoking or other addictions that are generally risky and unhealthy -- it's painful to stop but pretty damned necessary.

Re:IE7 beta2 is the solution? Not for 2K users

[dhardisty]

Sorry to break it to you, but Mac OSX makes you pay for updates too. You have to pay for every update -- 10.1, 10.2, 10.3, etc. Each of them costs money. So if you bought OSX or OS 10.1 and you want to update to the latest version of Safari or Firefox -- guess what, you have to shell out some cash because Firefox requires Mac OS X 10.2.x and the secure version of Safari requires 10.3 I think.

Because of this, my girlfriend who has an old Apple powerbook can't surf the web worth shit. So don't think that a for-profit company such as Apple will be the cure to all your M$ woes.

Re:*sigh*

[BeerCat]

Microsoft's Calculator is actually 2 distinct calculators (at least the XP one is)- the order of calculation varies depending on whether you have "Basic" or "Advanced" view:

4 + 2 * 6 evaluates left to right for the basic view, giving the answer 36. The advanced (scientific) view does it by algebraic hierarchy, so the multiplication is done first, giving 16.

(FWIW, the OS X calculator does it the algebraic way, but the calculator widget does it the left to right way)

Re:That why I stay with #2 or #3

[bunratty]

It isn't that Firefox/Opera/Safari isn't 100% safe... just that people don't go after them quite as much.

No, it's not just that people don't go after other browsers quite as much. Most of the time, only Internet Explorer has known highly critical security flaws. From this chart you can see that IE for Windows has had a known highly critical vulnerability for over two years. Currently, the only other browser that has such a serious flaw is Mozilla, and that's been for less than two months — and that flaw will be fixed in a week or two with the release of Mozilla 1.7.13 (or you could use SeaMonkey 1.0 instead of the old nearly abandoned Mozilla).

It's true, other browsers are not 100% safe, but you're much less likely to get hit by an exploit with other browsers even if hackers go after them, because they just don't have as many vulnerabilities, they're not as serious, and they're patched faster on average. Of course, being less popular than IE means that hackers go after them less, too, but that's hardly the only reason they're safer.

You're still not 100% safe using other browsers — you still should also use firewall, anti-virus, anti-spyware, and anti-adware programs, as well as not download executables from untrusted sources and practice other common sense safe practices, to minimize your exposure to malware.