Widespread Attacks Exploit Newly-Patched IE Bug

itwbennett writes "The first widespread attack to leverage the Internet Explorer flaw that Microsoft patched in an emergency update Thursday morning has surfaced. By midday Thursday Symantec had spotted hundreds of Web sites that hosted the attack code. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec. Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a US-based, free e-mail service that Symantec declined to name." Relatedly, reader N!NJA was among several to point out that Microsoft has apparently been aware of this flaw since September.

kind of makes you wonder

[v1]

in TFA: The flaw was in the Microsoft Security Response Center's (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S.

Kinda makes you wonder just how many of these critical security bugs IE currently has in their queue to be fixed "sometime in the near future"?

And at the same time you have to wonder just how nasty some of the others are that haven't made the cut yet, just waiting to become the next "zero day we own your computer, again"? We see how big of an issue this is, and MS was clearly in no hurry to fix it, so you'd have to assume that there are at least a few more of these that they know about and aren't fixing yet.

Re:kind of makes you wonder

[BartholomewBernsteyn]

That is the main problem with closed source software; in the event of a security hole, you as a customer / company are left to the mercy / arrogance of your software vendor to patch the flaw. Until he does, you can do nothing but become increasingly concerned, since you're left to the increasing danger of having your machine compromised in the meantime. This might be the right time to educate people about the main merit of open source software: As soon as a security hole is discovered, virtually anyone can contribute to a timely resolution. 0day? Fixed tomorrow!

Re:kind of makes you wonder

[Runaway1956]

"Kinda makes you wonder" if it's another slow news day. I mean, how many people did NOT see this coming? Even Joe Sixpack probably had this figured out - assuming that he even watches the evening news. Wait - maybe I'm getting senile. Joe stopped watching the news when he figured out how to schedule his programming around ESPN, More Gore Television, and Hot Chicks After Hours.

Phhht. Maybe this IS news to part of the world?

Re:kind of makes you wonder

[Penguinisto]

I'm the last guy you can accuse of being a Microsoft fanboy, but let's be fair on at least one aspect: it is helpful if the patches do their job (closing the hole) without breaking functionality (especially with enterprise software, where Microsoft counts its biggest customers).

I agree perfectly that it is a fundamental flaw in proprietary software to have potentially exploitable vulns that only, say, Microsoft and maybe the script kiddies know about. I further agree that failing to disclose them prevents users from implementing some sort of work-around (depending on severity, blocking certain script actions at the proxy, implementing certain GPO actions to mitigate damage, etc). OTOH, most of Microsoft's customer base wouldn't even know what a work-around is (aside from just using a different browser, which is probably not what you'll see Microsoft recommending).

The nasty stuff is lurking in there, certainly. Whether the bad guys know about it and can actually use it is another matter. I personally subscribe to the philosophy of full disclosure - it is better that everyone using the product know about flaws in it, if only to protect themselves. OTOH, I can see and appreciate (though not quite agree to) the opposite tack of limiting fields of research for the bad guys, as evidenced by the bad guys' habit (among others) of sifting through patches to find the flaws... where I part ways is in knowing that the patch-sifting is only one of many tools in which to find vulns. Whether it is the most popular method or not, I do not know.

Re:kind of makes you wonder

[X0563511]

I like to think that the code for IE is so horribly mangled that it takes a solid month to get the thing to build (including compile errors, stupid typo bugs, compile time, compiling for all the different windows configs, etc)

It makes me feel nicer that it could just be a shitty project, rather than just shitty people.

Re:kind of makes you wonder

[b4dc0d3r]

I'm a software developer. I have a list of things I need to fix, some things are higher priority. We set a date, and work as many patches as we can toward that date, into a single release or patch. Makes it easier to test when you bundle several things together, and can test 5 patches with a single test case instead of individually. That makes the cycle more efficient.

Now, a large company would have more patches, and more would be high priority. So they fix what they can, that makes sense. Open the bug list, sort by priority, own one (or get assigned one). To the developer, this is just one of several (hundred?) problems on the list. Management has to increase the priority based on input from triage.

The entire world might know a defect is a security vulnerability, but if it's not made clear to the triage guy, it will sit as "possible denial of service" medium or medium-well priority until the known vectors are taken care of.

Thinking about it this way makes Microsoft's blunders understandable. Not forgivable of course. My customer sends me a bug report and says "gwah, you're exposing my entire database to everyone fix it now or face a lawsuit!!!!eleventy". I say, let's take a look, we find out that yes you can see the entire data set - after you enter your credentials and only while on your company's network, and you just sent a mail to your competitor with your credentials in it. Change your password, WONTFIX. In other words, MS has to have good info in order to decide how to prioritize.

At the same time, they have to keep their customers and shareholders happy, so while the triage guy says "this is the worst bug ever in the history of everything and it needs to be fixed yesterday" the company itself says to the employee "sure, but follow all processes and have it reviewed and put it in the next patch cycle and we'll test all of them next week and prepare for a release next week."

Then to its customers and shareholders it says "A small, hard-to-exploit exploit has been found and even though ASLR and DEP and sandboxing are in place, someone might after a million failures be able to exploit this exploit so we've decided to be proactive and fix this exploit. We haven't heard of anyone exploiting this exploit, but we didn't really ask any of our friends in the malicious software industry - but that was just because we didn't want to tip our hand. Your security is, after all, very important to us. Exploit."

In short: there are more than we'll ever know.

Re:kind of makes you wonder

[cheftw]

The attack installs a Trojan horse program that is able to bypass some security products

I don't see why you're so worried, this obviously refers to the equestrian unit.

Re:kind of makes you wonder

[mpe]

That is the main problem with closed source software; in the event of a security hole, you as a customer / company are left to the mercy / arrogance of your software vendor to patch the flaw.

Or even admit that there actually is a flaw. Microsoft were told about this months ago and there's no reason to believe that the first person to find a flaw with be a "white hat".

Re:kind of makes you wonder

[rtfa-troll]

I really would be interested to know this too. It's a fairly big coincidence that Chinese hackers should happen to be using the same exploit as was in the MS security queue. The two likely explanations that occur to me are:

• China has access to the exploits to fix queue and has used that to develop their zero day exploits.
• The White hat hacker got the exploit from watching an attack

either thing sounds quite bad for Microsoft. The first means their queue security is inadequate and that's a really big problem for the policy of responsible disclosure they try to encourage. The second thing is more serious because it means Microsoft failed to fix or inform about an hole which was actively being exploited. In this case the question is whether the white hat declared to Microsoft how he came about his exploit.

Anyone have a better explanation which doesn't involve such a coinicidence?

Re:kind of makes you wonder

[Zero__Kelvin]

"It makes me feel nicer that it could just be a shitty project, rather than just shitty people."

There is no reason why they can't live together in unison.

Re:kind of makes you wonder

[westlake]

That is the main problem with closed source software; in the event of a security hole, you as a customer / company are left to the mercy / arrogance of your software vendor to patch the flaw. Until he does, you can do nothing but become increasingly concerned...
0day? Fixed tomorrow!

You can patch only what you know how to patch.

In 2008 there were between 6 and 10 million lines of code in the Linux kernel alone. Linux Kernel Surpasses 10 Million Lines of Code

In 2003 OpenOffice.org had 9 million lines of code. Build FAQ for OpenOffice.org

You can only test your patch only on systems you can access.

That your home-brewed solution is seriously flawed may only be discovered by your neighbors.

The next time they load a JPEG from your site.

As soon as a security hole is discovered, virtually anyone can contribute to a timely resolution.

Most likely by staying out of the way.

There is the final problem of how to roll out a patch. The naive end-user who auto-patches was spared Cornflicker.

Secunia integrated with Microsoft WSUS

Re:kind of makes you wonder

[Ifni]

Not to spark a conspiracy theory, but how much do you suppose some over-worked, under-paid, and under-appreciated Microsoft employee was paid by an agent of the Chinese government to provide this flaw from the list of yet to be addressed flaws? How much money do you think there is in selling these exploits in major software products to enemies of the state? I'm not implying that Microsoft does this intentionally, but I can see how their cavalier attitude can certainly create such an opportunity for Microsoft employees in the know. This should certainly be looked into by law enforcement officials to make sure that such leaks don't actually exist.

Re:kind of makes you wonder

[ppanon]

China demanded the source code to Windows years ago and Microsoft gave it to them. I don't think it's a complete coincidence that China has been pushing Red Flag Linux internally. By now they know the bugs in Microsoft Windows and have multiple exploits ready for use, and they have backdoors in Red Flag so they can spy on their own people. If they ever get into a cyberwar with the US, you had better be running something other than Windows.

Re:kind of makes you wonder

[myspace-cn]

Isn't this just an argument for Microsoft's removal of FTP server updates and no "out of band" patching, and to only release "scheduled patching" (All this as I recall back at a time when Microsoft said they were going to enhance security from these changes)

Since that time shit has rolled downhill.

Does the Secunia warning on IE get ignored because of Microsoft's enhanced security policies? Or is it because removing IE's activeX breaks WGA?

Personally I'd love to see tools for XP which allow removal and install of IE6,7,8 regardless of install state or service pack.

I'll bring it back to pro tools, why can't you remove IE8 and install IE7 once your shit is slipstreamed SP3? While I would target the IE for the tool I need, other's might just want to remove IE altogether from their system for stability and security. Good luck if your OS has IE 8 to begin with.

Re:kind of makes you wonder

[bug]

Security firm eEye used to keep a long list of Internet Explorer vulnerabilities that they had reported to Microsoft, but Microsoft hadn't developed patches for. eEye's list tracked how many months, or even years, Microsoft had known about the vulnerabilities without releasing a patch. A few years ago, under pressure from Microsoft, eEye agreed to take their list down. Microsoft happens to be a big customer of eEye's, and presumably is responsible for a lot of eEye's revenue. This has been fairly typical behavior for security firms that have signed lucrative contracts with Microsoft over the last few years, and one wonders how much of this type of thing is merely hush money.

Re:kind of makes you wonder

[Foredecker]

How about this: with a commercial software vendor - heck, lets just use Microsoft - you have a vendor that has the funds and qualified staff to fix problems quickly; Seucrity and regular bugs alike. You likely have a support contract that requires this. Things are found and fixed quickly and reliably. There are people whos job it is to respond to email and answer the telephone. Heck, they will even fly out to your site if they need to. If you are in a moderately big city there is likely support people already there.

Ok, with Redhat someone can get the same thing, becuase they pay $800 a year for support.

Here is another way to look at it: you suspect you have a bug in some OSS software... .Lets say its a major one like Firefox. You send the security email alias a mail (there is no phone number). Its a good group of people, but hey, they are busy and you dont have any kind of business relationship with them. No money changed hands, you have no support contract. They are under no obligationto help you at all - the license agreemetn even says so. You downloaded Firefox for free remember? You are dependant upon their largese and good repuation (and with Mozial, it is good).

So you hope they can get around to it - they have some people you can exchange email with, and a bug you can watch. Thats groovy, but there are no solid expectations? They fix bugs and are generally reliable about getting patches out. They have a schedule and everything, but are not under any obligation to do so for you in particular. They are good honest folks so Im sure they will get to it sooner or later.

Like I just mentioned to X0563511, I dont by the argument that "its open so anybody can look at it and fix bugs". Thats just bogus. Yes, of course its open. I saw a hilariously appropriate post on Slashdot a while back (paraphrasing):

The ratio of people that comment on security problems to the people actualy qualifed to fix them is about 1000000:1.

Its a myth that for any given open source project there are legions of devleopers with the skills, knowledge and expertise to correctly fix complex security bugs and issue a patch as you say "fixed tomorrow". Its not even a good myth. The Myth Busters wont be interested.

All the major OSS projects have teams that own the code - just like Microsoft. They dont let just anybody fix bugs - let alone security bugs. The have bug triage and code review processes - just like Microsoft. They also have test, QA and releases processes too. Note there is at least one guy thinks security bugs in OSS code can be fixed with no QA (read this golden post...) and no, hes not being subtly humorous, just naive.

All major OSS projects have a vetting and qualification process just like we do. For example, I can fix security bugs in code I own, but not in the Windows kernel. Even for changes in my code I get a seucrity dude to do a code review.

Ill ask you this - how many security code reviews on other peoples code have you done? How many bugs have been fixed as a result? How many did you fix? Can you link to the bugs and change lists in a repository somwhere?

Fixing security bugs is hard - harder than regular bugs and those can be hard. You really think that just any old developer can just dive right in and triage and fix security bugs? Really? Do you think the owning teams would let you? If so, then go read some of polices of major OSS projects, like the Mozilla pages here. "Virtually anyone" is most certainly not allowed to just dive in and fix security bugs in Firefox - hey wont let you unless you are qualifed and vetted.

So look, I really do love open source software. The fact that it is open

threat?

[clarkn0va]

Microsoft has apparently been aware of this flaw since September.

Further evidence that the only "threat" as far as MS is concerned is the threat of a damaged public perception. Although I suppose that's an improvement in itself.

Re:threat?

[1s44c]

I just laugh. I haven't had to reformat the drive even once since I obscured IE.

If you use windows without IE you are still very much at risk from the many other windows holes. You will cracked sooner or later and you may not even notice.

Re:threat?

[v1]

What's unfortunate here is there's still a lot of people out there that don't understand why some security researchers publish security bugs they find. It's issues like this where "We reported this to you FOUR MONTHS AGO and you haven't fixed it yet. We're going public with it tomorrow." Oh noes! Everyone's computer getting owned, it's all your fault, you should keep security bugs QUIET so we have time to fix them!.

Ya, right, whatever. They don't want the researchers to keep the bugs quiet so they "have time to fix them". Clearly four months is more than enough time to fix anything important. So, just how many more of these critical security bugs are we continuing to keep under wraps until someone exploits them before getting around to fixing? The logical conclusion is the researchers should give companies like MS a flat 30 days notice, and then go public immediately after that. At least we'd be getting the bugs patched 35 days after discovery, instead of 130 days. Either way, the amount of exposure we experience is the same, they're going to drag their feet until someone lights a fire under them. The only one this "irresponsible disclosure" hurts is the publisher. In the end, it helps the users, because the publishers now have a concrete deadline to avoid losing face, rather than "lets hope no one else discovers this before spring".

We don't need them gambling with our security, and that's exactly what they're pushing with their cries for "responsible disclosure".

Re:threat?

[1s44c]

So you are saying that any windows machine that doesn't run IE is safe-ish? Because it's not, there are countless flaws in other Microsoft code any one of which could cause a major security problem. If you don't start with a good design you have NOTHING.

You don't really trust a software firewall written by Microsoft do you? If you want a firewall use a proper ( i.e. not software ) one.

Re:threat?

[Kozz]

If you use windows without IE you are still very much at risk from the many other windows holes. You will cracked sooner or later and you may not even notice.

Even more disturbing, some people may notice and not think much of it. What is the most obvious evidence you can imagine of being 0wned? I talked to a guy once who was telling me of PC troubles (he knew I was a "techie" guy) and said he occasionally would notice the mouse would move, click, etc without his input. I quickly asked him if he did any kind of commerce, banking, online bill-paying stuff, and he said "yes". I told him to go home and unplug his modem/cat5/whatever and to format the computer asap.

It wasn't clear what exactly he thought the problem was, but I recall thinking he was surprised when I told him that there was a person on the other end of the wire moving the mouse, using his PC for who-knows-what. And even then he didn't seem to have a sense of urgency about fixing it. You can't fix stupid, as they say.

Re:threat?

[ozmanjusri]

How would you possibly know he will be cracked?

80% of home Windows computers have been compromised by one or more viruses.

IE market share is below 40%

You do the math.

Interestingly, even though most of those apps you mentioned as sources of vulnerabilities exist on other platforms, the rates of infection of anything other than Windows remains at zero or close to it. I'd say that points to a platform problem, not an application one.

Re:threat?

[nmb3000]

IE market share is below 40%

Anyone who uses w3schools's browser stats as a reference for general browser usage needs to get knocked on the head a few times. That is a perfect example of biased results due to the nature of the sample.

A better number is about 62%.

Re:Exactly how does it work.

[Arancaytar]

Once Windows is compromised (by a sophisticated worm, not something that places advertisements in IE), there is very little a user can do that the worm cannot prevent or bypass.

The Windows settings assistant may nod and smile, and say the port is closed, while the worm is using it in the background. You might see that if you look at the router's logs, but inside Windows the worm can control what you see or do.

Re:This clearly needs 10 more stories

[1s44c]

This has been covered ad nauseum here. Do we really need an update every 10 hours? A bug was exploited, it is now patched. Anyone who falls victim to it now deserves to do.

Thats not entirely fair. It's not practical for many people to update all systems within a day or two. Most organizations don't move that fast.

Re:This clearly needs 10 more stories

[1s44c]

This has been covered ad nauseum here. Do we really need an update every 10 hours?

Yes. Micro$oft bad!

Well, they are.

A bug was exploited, it is now patched. Anyone who falls victim to it now deserves to do.

Windows users dumb.

That doesn't follow. Fooled because they don't know better or don't get the choice maybe, but dumb isn't the right word.

Stay tuned as Slashdot milks this story for another week!

Stories like this are raw meat for the Linux Hammer Legion members.

Stories like this clearly show Microsoft for what they are - A company that doesn't care about the online safety of their customers data. They are a monopoly with the normal monopoly mentality that customers are there to serve them.

A US-based, free e-mail service

[Stephan202]

[...] the Trojan sends a notification e-mail to the attackers, using a US-based, free e-mail service that Symantec declined to name.

Hotmail, perhaps? No?

Re:A US-based, free e-mail service

[Zero__Kelvin]

"Wouldn't the obvious thing to do is shut the email account down and watch for people trying to log into it?"

That would certainly trace them all the way to the anonymous proxy in a country with laws that don't require them to give up the logs.

Update your Acrobat Reader.

[Old+Flatulent+1]

There was a similar hole in the way Acrobat Reader prior to 9.2 handled xml multimedia calls. And there were resent releases of updates for Shockwave Flash.

It is rather telling that the same type of buffer trouble is showing up in other peoples software. I am just wondering if the flood "Gates" are about to open and we will wind up seeing multiple trouble with things like WMP, Silverlight ...there was already the same update happening for RealPlayer

Just maybe there is a system xml call that is easily exploited in all versions of Windows....I can just see it now some lazy MS exec using old legacy system xml that is written using the gets and puts function. I would not put it past Microsoft to use old garbage code without even checking the old source then including the pre-compiled executable

Re:Update your Acrobat Reader.

[Antique+Geekmeister]

Maybe, just maybe, they should throw out most XML use. It's expandability and flexibility have caused repeated security and performance issues, and it's being used consistently instead of far simpler and more robust configuration technologies.

Re:This clearly needs 10 more stories

[the+eric+conspiracy]

The problem is that M$ gets the timeline wrong so often. It should be:

1. Find bug
2. Patch bug

Not:

1. Find bug
2. Ignore bug for n months
3. News released about exploit
  compromising customers installations
  causing international incident.
4. Release self serving announcement
  that other systems are not affected
5. More exploits appear
  affecting larger numbers of customers
6. Patch bug

Until this irresponsible behavior stops there should ba a lot more stories. These guys need to have the light shown on their absurd practices as brightly as possible.

Re:Exactly how does it work.

[jesset77]

Correct me if I'm wrong (but I do have a CCNA cert) Why not block the access ports that get opened, unless it's port 80 and then filter the traffic.

Ah, CCNA. ;D

Most users, if they have a router at all, have a SOHO router with minimal firewalling ability, just NAT/PAT.

The simplest worm I could think of that would drink your milkshake would just dial home via SSL port 443. Client-initiated connection, redialed as needed: what on earth could your fancy firewall do about that? :3

Moral of story: Don't get rooted. :(

Re:Exactly how does it work.

[Zero__Kelvin]

"Correct me if I'm wrong (but I do have a CCNA cert)"

That's just plain wrong

Re:Time to bury Firefox

[baka_toroi]

Thanks for showing me fixed vulnerabilites!

Re:Just wait until Linux becomes popular!

[lukas84]

I've seen many compromised Linux machines sending out spam. Especially prevalent in Germany, where 1&1 and similar mass hosters provide hosted very cheap rental of Linux servers.

Of course, the issues are the same as those of compromised Windows systems:

* Not up to date on security patches
* Admin doesn't know what he's doing
* Using insecure legacy versions of software