Widespread Attacks Exploit Newly-Patched IE Bug

itwbennett writes "The first widespread attack to leverage the Internet Explorer flaw that Microsoft patched in an emergency update Thursday morning has surfaced. By midday Thursday Symantec had spotted hundreds of Web sites that hosted the attack code. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec. Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a US-based, free e-mail service that Symantec declined to name." Relatedly, reader N!NJA was among several to point out that Microsoft has apparently been aware of this flaw since September.

threat?

[clarkn0va]

Microsoft has apparently been aware of this flaw since September.

Further evidence that the only "threat" as far as MS is concerned is the threat of a damaged public perception. Although I suppose that's an improvement in itself.

Re:threat?

[v1]

What's unfortunate here is there's still a lot of people out there that don't understand why some security researchers publish security bugs they find. It's issues like this where "We reported this to you FOUR MONTHS AGO and you haven't fixed it yet. We're going public with it tomorrow." Oh noes! Everyone's computer getting owned, it's all your fault, you should keep security bugs QUIET so we have time to fix them!.

Ya, right, whatever. They don't want the researchers to keep the bugs quiet so they "have time to fix them". Clearly four months is more than enough time to fix anything important. So, just how many more of these critical security bugs are we continuing to keep under wraps until someone exploits them before getting around to fixing? The logical conclusion is the researchers should give companies like MS a flat 30 days notice, and then go public immediately after that. At least we'd be getting the bugs patched 35 days after discovery, instead of 130 days. Either way, the amount of exposure we experience is the same, they're going to drag their feet until someone lights a fire under them. The only one this "irresponsible disclosure" hurts is the publisher. In the end, it helps the users, because the publishers now have a concrete deadline to avoid losing face, rather than "lets hope no one else discovers this before spring".

We don't need them gambling with our security, and that's exactly what they're pushing with their cries for "responsible disclosure".

Re:threat?

[Kozz]

If you use windows without IE you are still very much at risk from the many other windows holes. You will cracked sooner or later and you may not even notice.

Even more disturbing, some people may notice and not think much of it. What is the most obvious evidence you can imagine of being 0wned? I talked to a guy once who was telling me of PC troubles (he knew I was a "techie" guy) and said he occasionally would notice the mouse would move, click, etc without his input. I quickly asked him if he did any kind of commerce, banking, online bill-paying stuff, and he said "yes". I told him to go home and unplug his modem/cat5/whatever and to format the computer asap.

It wasn't clear what exactly he thought the problem was, but I recall thinking he was surprised when I told him that there was a person on the other end of the wire moving the mouse, using his PC for who-knows-what. And even then he didn't seem to have a sense of urgency about fixing it. You can't fix stupid, as they say.

Re:This clearly needs 10 more stories

[1s44c]

This has been covered ad nauseum here. Do we really need an update every 10 hours? A bug was exploited, it is now patched. Anyone who falls victim to it now deserves to do.

Thats not entirely fair. It's not practical for many people to update all systems within a day or two. Most organizations don't move that fast.

A US-based, free e-mail service

[Stephan202]

[...] the Trojan sends a notification e-mail to the attackers, using a US-based, free e-mail service that Symantec declined to name.

Hotmail, perhaps? No?

Re:kind of makes you wonder

[BartholomewBernsteyn]

That is the main problem with closed source software; in the event of a security hole, you as a customer / company are left to the mercy / arrogance of your software vendor to patch the flaw. Until he does, you can do nothing but become increasingly concerned, since you're left to the increasing danger of having your machine compromised in the meantime. This might be the right time to educate people about the main merit of open source software: As soon as a security hole is discovered, virtually anyone can contribute to a timely resolution. 0day? Fixed tomorrow!

Re:kind of makes you wonder

[Penguinisto]

I'm the last guy you can accuse of being a Microsoft fanboy, but let's be fair on at least one aspect: it is helpful if the patches do their job (closing the hole) without breaking functionality (especially with enterprise software, where Microsoft counts its biggest customers).

I agree perfectly that it is a fundamental flaw in proprietary software to have potentially exploitable vulns that only, say, Microsoft and maybe the script kiddies know about. I further agree that failing to disclose them prevents users from implementing some sort of work-around (depending on severity, blocking certain script actions at the proxy, implementing certain GPO actions to mitigate damage, etc). OTOH, most of Microsoft's customer base wouldn't even know what a work-around is (aside from just using a different browser, which is probably not what you'll see Microsoft recommending).

The nasty stuff is lurking in there, certainly. Whether the bad guys know about it and can actually use it is another matter. I personally subscribe to the philosophy of full disclosure - it is better that everyone using the product know about flaws in it, if only to protect themselves. OTOH, I can see and appreciate (though not quite agree to) the opposite tack of limiting fields of research for the bad guys, as evidenced by the bad guys' habit (among others) of sifting through patches to find the flaws... where I part ways is in knowing that the patch-sifting is only one of many tools in which to find vulns. Whether it is the most popular method or not, I do not know.

Re:Update your Acrobat Reader.

[Antique+Geekmeister]

Maybe, just maybe, they should throw out most XML use. It's expandability and flexibility have caused repeated security and performance issues, and it's being used consistently instead of far simpler and more robust configuration technologies.

Re:kind of makes you wonder

[b4dc0d3r]

I'm a software developer. I have a list of things I need to fix, some things are higher priority. We set a date, and work as many patches as we can toward that date, into a single release or patch. Makes it easier to test when you bundle several things together, and can test 5 patches with a single test case instead of individually. That makes the cycle more efficient.

Now, a large company would have more patches, and more would be high priority. So they fix what they can, that makes sense. Open the bug list, sort by priority, own one (or get assigned one). To the developer, this is just one of several (hundred?) problems on the list. Management has to increase the priority based on input from triage.

The entire world might know a defect is a security vulnerability, but if it's not made clear to the triage guy, it will sit as "possible denial of service" medium or medium-well priority until the known vectors are taken care of.

Thinking about it this way makes Microsoft's blunders understandable. Not forgivable of course. My customer sends me a bug report and says "gwah, you're exposing my entire database to everyone fix it now or face a lawsuit!!!!eleventy". I say, let's take a look, we find out that yes you can see the entire data set - after you enter your credentials and only while on your company's network, and you just sent a mail to your competitor with your credentials in it. Change your password, WONTFIX. In other words, MS has to have good info in order to decide how to prioritize.

At the same time, they have to keep their customers and shareholders happy, so while the triage guy says "this is the worst bug ever in the history of everything and it needs to be fixed yesterday" the company itself says to the employee "sure, but follow all processes and have it reviewed and put it in the next patch cycle and we'll test all of them next week and prepare for a release next week."

Then to its customers and shareholders it says "A small, hard-to-exploit exploit has been found and even though ASLR and DEP and sandboxing are in place, someone might after a million failures be able to exploit this exploit so we've decided to be proactive and fix this exploit. We haven't heard of anyone exploiting this exploit, but we didn't really ask any of our friends in the malicious software industry - but that was just because we didn't want to tip our hand. Your security is, after all, very important to us. Exploit."

In short: there are more than we'll ever know.

Re:kind of makes you wonder

[mpe]

That is the main problem with closed source software; in the event of a security hole, you as a customer / company are left to the mercy / arrogance of your software vendor to patch the flaw.

Or even admit that there actually is a flaw. Microsoft were told about this months ago and there's no reason to believe that the first person to find a flaw with be a "white hat".