Widespread Attacks Exploit Newly-Patched IE Bug

itwbennett writes "The first widespread attack to leverage the Internet Explorer flaw that Microsoft patched in an emergency update Thursday morning has surfaced. By midday Thursday Symantec had spotted hundreds of Web sites that hosted the attack code. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec. Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a US-based, free e-mail service that Symantec declined to name." Relatedly, reader N!NJA was among several to point out that Microsoft has apparently been aware of this flaw since September.

kind of makes you wonder

[v1]

in TFA: The flaw was in the Microsoft Security Response Center's (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S.

Kinda makes you wonder just how many of these critical security bugs IE currently has in their queue to be fixed "sometime in the near future"?

And at the same time you have to wonder just how nasty some of the others are that haven't made the cut yet, just waiting to become the next "zero day we own your computer, again"? We see how big of an issue this is, and MS was clearly in no hurry to fix it, so you'd have to assume that there are at least a few more of these that they know about and aren't fixing yet.

Re:kind of makes you wonder

[X0563511]

I like to think that the code for IE is so horribly mangled that it takes a solid month to get the thing to build (including compile errors, stupid typo bugs, compile time, compiling for all the different windows configs, etc)

It makes me feel nicer that it could just be a shitty project, rather than just shitty people.

Re:kind of makes you wonder

[rtfa-troll]

I really would be interested to know this too. It's a fairly big coincidence that Chinese hackers should happen to be using the same exploit as was in the MS security queue. The two likely explanations that occur to me are:

• China has access to the exploits to fix queue and has used that to develop their zero day exploits.
• The White hat hacker got the exploit from watching an attack

either thing sounds quite bad for Microsoft. The first means their queue security is inadequate and that's a really big problem for the policy of responsible disclosure they try to encourage. The second thing is more serious because it means Microsoft failed to fix or inform about an hole which was actively being exploited. In this case the question is whether the white hat declared to Microsoft how he came about his exploit.

Anyone have a better explanation which doesn't involve such a coinicidence?

Re:kind of makes you wonder

[westlake]

That is the main problem with closed source software; in the event of a security hole, you as a customer / company are left to the mercy / arrogance of your software vendor to patch the flaw. Until he does, you can do nothing but become increasingly concerned...
0day? Fixed tomorrow!

You can patch only what you know how to patch.

In 2008 there were between 6 and 10 million lines of code in the Linux kernel alone. Linux Kernel Surpasses 10 Million Lines of Code

In 2003 OpenOffice.org had 9 million lines of code. Build FAQ for OpenOffice.org

You can only test your patch only on systems you can access.

That your home-brewed solution is seriously flawed may only be discovered by your neighbors.

The next time they load a JPEG from your site.

As soon as a security hole is discovered, virtually anyone can contribute to a timely resolution.

Most likely by staying out of the way.

There is the final problem of how to roll out a patch. The naive end-user who auto-patches was spared Cornflicker.

Secunia integrated with Microsoft WSUS

Re:kind of makes you wonder

[Ifni]

Not to spark a conspiracy theory, but how much do you suppose some over-worked, under-paid, and under-appreciated Microsoft employee was paid by an agent of the Chinese government to provide this flaw from the list of yet to be addressed flaws? How much money do you think there is in selling these exploits in major software products to enemies of the state? I'm not implying that Microsoft does this intentionally, but I can see how their cavalier attitude can certainly create such an opportunity for Microsoft employees in the know. This should certainly be looked into by law enforcement officials to make sure that such leaks don't actually exist.

Re:kind of makes you wonder

[ppanon]

China demanded the source code to Windows years ago and Microsoft gave it to them. I don't think it's a complete coincidence that China has been pushing Red Flag Linux internally. By now they know the bugs in Microsoft Windows and have multiple exploits ready for use, and they have backdoors in Red Flag so they can spy on their own people. If they ever get into a cyberwar with the US, you had better be running something other than Windows.

Re:kind of makes you wonder

[myspace-cn]

Isn't this just an argument for Microsoft's removal of FTP server updates and no "out of band" patching, and to only release "scheduled patching" (All this as I recall back at a time when Microsoft said they were going to enhance security from these changes)

Since that time shit has rolled downhill.

Does the Secunia warning on IE get ignored because of Microsoft's enhanced security policies? Or is it because removing IE's activeX breaks WGA?

Personally I'd love to see tools for XP which allow removal and install of IE6,7,8 regardless of install state or service pack.

I'll bring it back to pro tools, why can't you remove IE8 and install IE7 once your shit is slipstreamed SP3? While I would target the IE for the tool I need, other's might just want to remove IE altogether from their system for stability and security. Good luck if your OS has IE 8 to begin with.

Exactly how does it work.

[Murdoch5]

What protocol is used to search the system? sure the attacker can get in but once inside just how much access do they have.

Do they get returned an FTP / HTTP view of the computer folder by folder. Do you get kicked into a telnet terminal / ssh terminal maybe even a NFS terminal.

Correct me if I'm wrong (but I do have a CCNA cert) Why not block the access ports that get opened, unless it's port 80 and then filter the traffic.

Yes it's microsofts problem to roll out a patch and fix the bug but it seems like theres a lot that the user could do before the patch is ready.

Re:Exactly how does it work.

[jesset77]

Correct me if I'm wrong (but I do have a CCNA cert) Why not block the access ports that get opened, unless it's port 80 and then filter the traffic.

Ah, CCNA. ;D

Most users, if they have a router at all, have a SOHO router with minimal firewalling ability, just NAT/PAT.

The simplest worm I could think of that would drink your milkshake would just dial home via SSL port 443. Client-initiated connection, redialed as needed: what on earth could your fancy firewall do about that? :3

Moral of story: Don't get rooted. :(

I wonder if responsibility is ever assigned

[erroneus]

So someone or a project team writes some code. The code is later found to be used as part of an exploit that further harms the reputation of the company. Does anyone ever go back and say "hey, you wrote this crappy code! You're fired!"?

It almost seems there are more vulnerabilities (both patched and unpatched) than there are lines in the Windows source code. I know there will be no end to the finger pointing where developers decry the problem of deadlines while management points to the lack of skilled coders. But seriously, how much of all this can be attributed to poor programming practices? I remember from the earliest days of coding C that there were a few functions that existed that wise programmers should avoid as the use of those functions would immediately make your programs vulnerable. Further, it seems that bounds checking and other data validation needs to go on more often as well. How is it that the top dog in the software game can't keep up with these very simple principles?

And what of public disclosure? Some people try to say that public disclosure is what is responsible for most of the hacking that goes on out there. Meanwhile, this was essentially a -1 day vulnerability that didn't get disclosed until after the damage was done... or was it? Was this yet another of the reported bugs that Microsoft sits on rather than acts on? While following the bugtraq and other mailing lists, I observe that Microsoft tends to ignore or disregard a great many of the bugs reported to it, so I have to wonder.

Update your Acrobat Reader.

[Old+Flatulent+1]

There was a similar hole in the way Acrobat Reader prior to 9.2 handled xml multimedia calls. And there were resent releases of updates for Shockwave Flash.

It is rather telling that the same type of buffer trouble is showing up in other peoples software. I am just wondering if the flood "Gates" are about to open and we will wind up seeing multiple trouble with things like WMP, Silverlight ...there was already the same update happening for RealPlayer

Just maybe there is a system xml call that is easily exploited in all versions of Windows....I can just see it now some lazy MS exec using old legacy system xml that is written using the gets and puts function. I would not put it past Microsoft to use old garbage code without even checking the old source then including the pre-compiled executable

Re:threat?

[1s44c]

So you are saying that any windows machine that doesn't run IE is safe-ish? Because it's not, there are countless flaws in other Microsoft code any one of which could cause a major security problem. If you don't start with a good design you have NOTHING.

You don't really trust a software firewall written by Microsoft do you? If you want a firewall use a proper ( i.e. not software ) one.

MSFT has no reasonable excuses

3 billion dollars in profit a quarter. Just think about that. That is 120k software developers paid 100k a year. That's how many more people they could have fixing any bug you have. It may be unreasonable to ask a public company to not make a profit, but it is quite reasonable, that, even with the mythical man month, they could hire 5k more developers and testers and fix this BS. This was the size of the Windows 2000 team, when I was there that year.

I knew IE 6 was going to be bad though - people from the QA team came to me and asked if managers in other teams tell you to stop entering bugs because it makes the dev team look bad. Seriously. Trident was even worse.

Re:Just wait until Linux becomes popular!

[lukas84]

I've seen many compromised Linux machines sending out spam. Especially prevalent in Germany, where 1&1 and similar mass hosters provide hosted very cheap rental of Linux servers.

Of course, the issues are the same as those of compromised Windows systems:

* Not up to date on security patches
* Admin doesn't know what he's doing
* Using insecure legacy versions of software