IE Vulnerability Exposing Banking Logins, Spreading Rapidly

jfruh writes "A vulnerability in Internet Explorer 9 and 10 that allows attackers to target banking login info, first reported on February 13, is being exploited in the wild, and attacks are spreading rapidly. Sites compromised by the malware run the gamut from U.S. Veterans of Foreign Wars site, to a site frequented by French military contractors, to a Japanese dating site. Microsoft has released a 'fix-it tool' but not a regular patch."

Well there's your problem.

Why is there a banking login on a Japanese dating site? Perhaps we should start by addressing that.

Re:Well there's your problem.

[The+Rizz]

...so you're saying that other sites shouldn't be using the "best" security for their login process? They should intentionally use weaker security than banks?

Re:Well there's your problem.

[Penguinisto]

Why is there a banking login on a Japanese dating site? Perhaps we should start by addressing that.

Hell, why is anyone still using IE to browse anything on the public Internet (let alone anything to do with banking)? May want to address that first.

Re:Well there's your problem.

[ShanghaiBill]

Why is there a banking login on a Japanese dating site?

So the chicks can verify that the dude's income is really as high as he claims. Duh.

Re:Well there's your problem.

He doesn't know about the growing Date-Trading business in Japan. I'm heavily invested in Japanese Dating Futures.

Re:Well there's your problem.

[lgw]

This is not 2004. IE 11 is fine, as a browser, with the main problem being that adblock isn't free. What's surprising is that IE would be targeted when Chrome has the market share now (you can buy vulnerabilities for old versions of any browser, so attackers generally pick what will affect the most people).

Maybe this is Chrome's auto-update-without-asking paying off? IE does that now (finally!), but not across major versions: hopefully this will be an object lesson.

Re:Well there's your problem.

[hawkinspeter]

Even if it wasn't for attacks like this one, everyone should boycott Microsoft browsers for their awful use of "standards" in IE6. The total amount of pain caused to web developers around the world must never be forgotten.

Re:Well there's your problem.

[Penguinisto]

This is not 2004. IE 11 is fine, as a browser, with the main problem being that adblock isn't free.

1) well that sucks for an ad-blocking solution - ABP and DoNotTrackMe are, well completely cost-free for the browsers that I use the most (FF, Chrome, and occasionally Safari).

2) Chrome is a consistent user experience on my MacBook Pro (both in OSX 10.9 and on the Linux VM sitting on it), my Windows 7 desktop at work, my Android phone and tablet... no matter what device I use in my possession. I can also sync bookmarks between the MBP and phone, allowing for more than just a little portability. IE can't give me that without being forced to drink the koolaid with a mono-platform solution, and I doubt that the bookmarks automatically sync. (besides, IE doesn't exist for either OSX 10.9 or Android)

Re:Well there's your problem.

[lgw]

Yup, it's less than idea, but DNT is free and I bought some adblock solution cheap that seems to work OK (it's free for some limited number of ads blocked, so I use it on infrequently-used VMs).

I find Chrome a consistently crappy user experience, so ewww. FF seems just fine to me, can't quite pinpoint why Chrome annoys me so.

Re:Well there's your problem.

[Billly+Gates]

I think your knowledge of adblock is a little dated? It has been free and available since last summer all the way back down to IE 8.

If you are corp the best way to be secure is just to not install flash or push a GPO to remove it corporate wide. Besides the marketing department wanting to see commercials flash servers no purpose at work other than being an attack vector.

Re:Well there's your problem.

[Billly+Gates]

Forgot to close the ahref link. ... my bad

Adblock for IE is here https://adblockplus.org/en/int...

Re:Well there's your problem.

[Billly+Gates]

Why?

Webkit, Opera, Netscape, and even early Mozilla all failed the acid test back in 2004. It took almost a decade before rendering was done correctly.

Mozilla before Firefox 1.5 had more rendering quirks than IE 6! Ask any website developer from that time frame?

IE 6 was a good browser back in 2001. It was just software was not that great and sucked goatballs back then and then the browser stagnated for many years.

HAH!! I use IE6!

I'm immune!!!!

Re:HAH!! I use IE6!

[coolsnowmen]

Maybe-- I'm immune to that horrible apple SSL bug because I didn't update to maverick

Re:HAH!! I use IE6!

[Penguinisto]

Maybe-- I'm immune to that horrible apple SSL bug because I didn't update to maverick

Pfft, children, children... I'm immune because I use wget and curl to do all of my browsing!

Re:HAH!! I use IE6!

[Nivag064]

REAL PROGRAMMERS write a new Web Browser in machine code for each session...

Re:HAH!! I use IE6!

[Penguinisto]

Err, why wait for the IDE to warm up, the compiler to finish, and etc? Just telnet to port 80 or 443 on the destination server, and send your GET and POST commands manually.

Re:HAH!! I use IE6!

[Applehu+Akbar]

Meanwhile, I'm immune to that horrible Apple SSL bug because my iMac is hardwired to my router and never ventures outside the office.

Re:HAH!! I use IE6!

[imatter]

and you try and tell the young people of today that ..... they won't believe you.

If you're dumb enough to use IE when banking...

[gestalt_n_pepper]

I'm not sure what anyone can do for you.

Re:If you're dumb enough to use IE when banking...

[I'm+New+Around+Here]

You better stop typing and run along. You're going to be late for third period math (remedial).

Re:If you're dumb enough to use IE when banking...

[Zalbik]

Geez Ballmer, you really haven't found anything to do since retirement, have you?

Why don't you just calm down?

Maybe throw a chair or something....that always seems to help...

Re:If you're dumb enough to use IE when banking...

[BUL2294]

Well, you might not have a choice depending on your OS version...

XP, 2003 - max is IE8 (not affected)
Vista, 2008 - max is IE9 (affected, presumably most used version)
7, 2008R2 - currently at IE11, but many users still using IE10 (affected) since IE11 came out in November for this OS
8, 2012 - only supports IE10 (affected)
8.1, 2012R2 - only supports IE11

Re:If you're dumb enough to use IE when banking...

[sjames]

A signed document! You can't go wrong if you have a signed document!

AUUUUUUUUUUUUUUUUUGGH......WHUMP!

Re:If you're dumb enough to use IE when banking...

[damnbunni]

Does it absolve you from all blame?

It must be nice to have a document like that.

Re:If you're dumb enough to use IE when banking...

[sjames]

Whoosh!

Re:Is IE Really to Blame?

From what I'm understanding, the web sites/servers themselves are being compromised.

Not quite. Any compromised website can take over the browser. So a malware ad hosted on Youtube or ./ can infect the browser, and the attacker can then snoop on future activity – e.g. on banking sites.
As the vulnerability seems to allow arbitrary code execution (with user privileges), this means keyloggers and the whole shebang, so using a dedicated banking software isn't necessarily going to save you.

Hmmm...

[Bugler412]

Given the anti-MS slant here, I think it's ironic that Slashdot is sometimes a more timely news source on exploits in MS software than of nearly any of the open source products Slashdot users are so fond of, hmmm....

Re:Hmmm...

[Zero__Kelvin]

"Given that we are all educated enough to have an anti-MS slant here"

FTFY

Re:Hmmm...

[The+Rizz]

Well, for one thing, the anti-MS slant has been tapering off here for years; they're no longer seen as "Big Evil", but more of a "McComputer" sort of thing.

For another thing, most /. readers may like the OSS movement, but they primarily work in Windows, have friends who use Windows, have family who use Windows, and are often the ones who provide tech support to those friends/family/co-workers. Knowledge of these vulnerabilities do more good for more people than knowledge of the latest bugs in Epiphany.

Re:Hmmm...

It's pretty obvious you like M$. You can't log in, and don't know how to properly blockquote.

Re:Hmmm...

[rtb61]

I would expect that an in the wild browser exploit that targets login credentials, including financial institution credentials would be pretty damn high public notification list of all news sources not just slashdot. In fact I am damn surprised that this information is not being presented on mass media sources. Isn't it disgusting how advertising dollars can put people at risk because PR=B$ experts (drips under pressure) well don't give a fuck about anything but their own profits regards of the harm caused by their companies actions.

Band Aid Security Industry Top to Bottom

[BoRegardless]

CEOs have ignored security researchers since the start of the modern internet, because CEOs only want "Results now!"

Re:Is IE Really to Blame?

[i+kan+reed]

That's not what I read at all. It seems to be an entirely client side problem.

Re:Is IE Really to Blame?

[quickOnTheUptake]

The compromised site is being used to host/inject the exploit.The vulnerability that is being exploited is in IE 9 &10, and allows code execution. It is being used to get the credentials for other--non-compromised--websites.

And IE is the standard in the banking industry

[RevWaldo]

It's the one most banking and investment houses use and develop their sites to work with. So there's that.

.

Re:And IE is the standard in the banking industry

[sjames]

Brought to us by the geniuses that think a number you must tell everybody and his dog has any use as an authentication token.

Re:Staying behind the curve wins again!

[The+Rizz]

Still running IE8 so no problems.

Keep pushing the envelope to be cool and edgy and this is what you get.

Actually, Windows 8.1 comes with IE11, so anyone who is completely up to date is immune to this one as well. So, being behind the curve is bad, being either at the forefront or way behind the curve is good.

Re:Is IE Really to Blame?

[crunchy_one]

Any compromised website can take over the browser. So a malware ad hosted on Youtube or ./ can infect the browser, and the attacker can then snoop on future activity – e.g. on banking sites.

And this is exactly why I always run an ad blocker.

Given the current mess that is web advertising, it would be foolish to do otherwise.

IE?

Who in their right mind uses IE for anything secure would be my question?

Laugh

[koan]

People still use IE?

Re:Laugh

[hcs_$reboot]

People still use IE?

Yes. Many non-IT companies require their users to use only IE, due to *security concerns* (the security concerns being that everybody should use the default browser provided with the OS, and not a random one of choice). This is usually the case where the CIO/IT management has been holding that same position for a relatively long time, signing that same yearly contract with Microsoft for OS+Office. In short, keeping the same IT environment is the recipe to ensuring there is no change on IT management side either.

Re: Laugh

[tom229]

Our default browser is IE, and it's not because I have any love for Microsoft, or spending extortionate amounts of my IT budget on Microsoft licensing. I personally use firefox on a day to day basis, but the official "supported" browser in the company is still IE simply because it's easily configurable within the domains group policy, and most widely supported when it comes to corporate browser applications.

I know what you're getting at, and I'd have to disagree. Most company's are forced to be a Microsoft shop simply for compatibility reasons. The software my users depend on daily to do their jobs is Windows only... and there's nothing I can do about this.

Accounting needs Word and Excel. In fact, they "need" 2010 or they all need to be on the same versions. If I have even one of them on a different version they will complain about compatibility issues.

Geology needs a plethora of Windows only client/server software first written in the early 2000's and sparingly updated. This is specialized stuff.. you can't just get it off the shelf anywhere. This requires Windows desktops and Windows servers.

I could go department by department but I think you get the point. Once you require Windows on the desktop for end user software, it makes the most sense to have a Microsoft domain and Exchange Server because they all play nicely together. Exchange is especially nice since every member of my staff took some business course in community college and is comfortable with Outlook. We did a test run of gapps using the outlook plugin but it wasn't nearly as intuitive or function rich as an Exchange environment; especially when it comes to calendars, room booking, scheduling, and tasks.

So at the end of the day, when everything else is Microsoft, it makes the most sense to use IE, because it plays nicely with all of the above. I probably could struggle with getting everything to work on Firefox, and deploying policies through the registry or batch scripts, but in my experience it's just not worth the hassle. You're not busy enough, or responsible for enough if you haven't yet learned to leave your ideals at the door, and just use what works.

Re: Laugh

[Kz]

that started reasonable enough, citing real issues that make it the only option to use Windows, Word and Excel. That much, I concede, it's not worth it to fight.

But I draw the line, and Exchange and Outlook are way past it. No way I would support either on my networks. Simply put, these are the real implementations of the first Halloween document. in other words, it's baitware that works "nicely enough", and with several well-researched features to make them attractive, but as soon as you want anything non-microsoft in your setup, they create all kinds of obstacles and hoops you have to jump. It's not that other systems don't "work nicely with all the above" it's that these specific programs were designed from the start to create those problems.

I agree that MS isn't the 'evil' it once was, but in the email space, it hasn't changed a bit. And it's up to us not to tolerate it.

Re: Laugh

[tom229]

Fair enough. I'm curious then. What do you use for email?

Re: Laugh

[Kz]

Fair enough. I'm curious then. What do you use for email?

SMTP / IMAP. that's all.

As for software, it's usually CommuniGate or Zimbra on the servers. For clients, I support Thunderbird, apple's Mail.app, kontact, Eudora, and the included clients on iOS and Android and even Blackberry. all of them work perfectly together when using standard protocols.

There are a couple of big bosses that insist on using Outlook, even though they can't say a single reason to prefer it, it's usually just "i'm too old to learn something new". One of them creates by himself easily more trouble than the three companies where i'm involved in support. What seems to be helping a little is that we created an isolation server running Fetchmail to keep a copy of all his mail and accessed exclusively from his one Outlook machine. all his other devices (two iPhones, an iPad, one Blackberry and a MacBook) work without a hitch directly on the CommuniGate server.

Re: Laugh

[tom229]

Hmm.. well I'm glad you've been able to exist without Exchange. Personally I've tried Zimba, Groupwise, Google Apps, etc and I've never found a platform that can support users as seamlessly and easily as Exchange can. IMAP is completely fine, but users expect so much more from their mail these days. Contacts, Global address book, Calendar, Room Calendars, Shared Calendars, Tasks, etc. Using Outlook they can easily share calendars. I can easily give management full access permission to a mailbox and it will automatically add to Outlook. This business is rather large so boardroom space can be scheduled and booked. They can see eachother's availability, etc.

I've never used Communigate, and maybe Zimbra has gotten better. Thanks for the information. Perhaps I'll give them a try.

Yes, IE is to be blamed.

[140Mandak262Jamuna]

The hackers have to lure you into visiting the compromised website. How difficult is that? Once you visit that site using IE, it corrupts the memory. Then it takes advantage of a wild pointer read error in IE to get remote execution ability.

Of course Secunia will count this is as "one bug", after Microsoft agrees it is a bug. On the other hand, it will look at bugzilla of Firefox, and every bug report by everyone will be counted towards the total bug count on Firefox. Microsoft will continue to insist its browser has fewer bugs than Firefox. Gartner will issue a TCO report based on these numbers. And everyone will be scratching their head, why IE market share continues to fall when all these numbers say IE is the safest browser in the world.

Edgy?

[sjbe]

Keep pushing the envelope to be cool and edgy and this is what you get.

Right. People running Windows are really concerned with being "cool and edgy".

Re:Is IE Really to Blame?

[140Mandak262Jamuna]

Microsoft says "The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated".

Clearly the wild pointer read error is in IE not in the server. They need to hack the server to post the exploit code in their server. But they could also create the same vulnerability in a site owned by them. No need to hack. But it is more difficult to lure visitors to the newly created malware site. That is why they need to hack a well visited site to upload the hack. But all visitors to that site using Chrome and Firefox and other versions of IE are not affected. Fault lies solely on these versions of IE

Re:Is IE Really to Blame?

[fast+turtle]

and this is why I have Noscript in Deny All Mode be default. Forget the damn adblocker as blocking scripts is how you do it. I also use a Hosts file * Thanks APK for the reminder * to block most of the god damn advertisers around the world.

Re:Is IE Really to Blame?

[Zalbik]

and this is why I have Noscript in Deny All Mode be default. Forget the damn adblocker as blocking scripts is how you do it. I also use a Hosts file * Thanks APK for the reminder * to block most of the god damn advertisers around the world.

And this is why I browse using Lynx. Forget the damn script blocker as blocking all active content is how you do it. I don't need a hosts file as I literally don't see ads.

Netflix kinda sucks though. Kevin Spacey just isn't the same when rendered in ASCII.

Secunia also says Firefox less secure than IE 6

[Billly+Gates]

So how do you really trust them?

However, Chrome is getting many patches recently between versions due to flaws in blink and flash. So the idea to blame IE as still sucking is disingenuous.

The point is always upgrade your browser and OS in addition to running adblock/flashblock, or if you are a corp banning flash and java altogether. The port of adblock for IE is here.

Many IT professionals who whine about leaving XP and IE 8 behind should be FIRED. IE 11 sandbox is fine for this. If you run WIndows 7 or later both IE 9+ and Chrome have lowrights mode which restrict everything include writting to the disk with the narrow exception of %appdata.

These days most of the infections I see come from Firefox and plugins. Firefox has no lowrights mode and if anyone reading this is using XP you neglect sandboxing on all browsers and expose yourself.

Re:Staying behind the curve wins again!

[Billly+Gates]

Funny IE 11 is fine and is the most recent. I would argue an older browser is less secure and IE 8 has more vulnerabilities than IE 9 and IE 10.

Yep forget better sandboxing, HTML 5 support, h.264, and lowrights mode if you are on XP still as well. Stay with the old!

Many sites and not just geek ones like my t-mobile site to pay my bill are not IE 8 compatible. If you read about the vulnerability it uses flash too. So get rid of flash and then hafl the web wont work when you want to listen to pandora or youtube music videos.

IE 8 has alot more exploits than IE 11 as it doesn't have as many modern sandboxing techniques due to compatibility for XP.

Yeah, I can see that

[morgauxo]

I hated Microsoft pretty hard. Now... McComputer sounds about right. Good Call!

I mostly use Windows at work (because that's what my work uses) and just about entirely Linux at home (that's what I choose). This hasn't changed.

I don't think I have changed. Microsoft has changed and so has the market. I just don't see Windows computers crashing like they used to. Quality has improved Perhaps this was in part due to the threat of competition from oss? Note that I said threat of, not actual competition. We all know Linux didn't take off on the desktop but there certainly was enough hype about the possiblity!

Also, you can actually do something in Windows without having a corporate sized budget. Want to be an amateur programmer? It used to be all Windows had was a BASIC interpereter. To get an actual compiler (any language) was 100s of dollars. Apparently you had to pay for the privilege of creating software for Windows. Even though more software existing for Windows just makes Windows more desirable... explain that one. Now Micorosoft releases free versions of their development environments which are cut down enough to give companies a reason to buy the real thing but not so much as to prevent one from compiling a useful application.

Besides what Microsoft offers, now there is all sorts of free oss available for Windows. You can develop for Windows in gcc! Can't afford Photoshop? Gimp runs on Windows now. How about web serving. Microsoft used to charge big bucks for different levels of licensing on their web server. They limited how many people could connect at a time. I thought that was a very assinine money grab. It's not like Microsoft programmers put in more hours every time your server serves 100 copies of your web page vs 5! Do they still do that? I don't know. Who cares?!? I can always run Apache on Windows or any one of a million other free programs.

In the early days Microsoft plus IBM were the PC. The PC was awesome for hackers, makers and all kinds of geeks. Before that everything was pretty much proprietary. Now you could mix and match hardware pieces as you please. Also, I could run the same program on my Tandy as my friend ran on his Dell even though it was written on a computer made by IBM!

Later Microsoft became evil in part becasue the kind of compatiblity the PC gave us was expected. We didn't need Microsoft to help us get that anymore. But.. Microsoft was pushing things the other way, embracing standards just to change them a bit once they had a market share so that people would be locked in to using their product.

Now.. Microsoft is losing that monopoly power. They can't do as much damage as before. But.. mobile devices are the big thing, not Desktops. And with our phones and tablets we are back to the bad old pre-pc days where everything is proprietary. I'm not saying that Microsoft is doing anything to try to change this but at least they aren't the driving force behind it. That title is shared by Apple and the cellphone carriers.

So.. Microsoft is a de-fanged wannabe villian who occasionally does nice things. Apple and the Telecoms, they are where the real evil lives today.

If we were serious about security...

[ggraham412]

... we would stop loading up web browsers with "features" that only help content providers shove ever more ads and video down our gullets.

Re:If we were serious about security...

[WD]

The vulnerability is a use-after-free bug triggered by DHTML. If DHTML is a feature that you don't care for, feel free to switch to Lynx or Mosaic.

Re:Is IE Really to Blame?

[CastrTroy]

Kevin Spacey In ASCII for all those who were wondering.

Re:Is IE Really to Blame?

[sjames]

Yes it is. IE has a bug that allows a site to get it to execute arbitrary code. That is always wrong.

Re:Staying behind the curve wins again!

[lgw]

Well, that's hardly surprising: the lesson for a decade now has been "don't run what most people run". If Win8 had been successful, this would have been an IE11 exploit. In a few years, it will all be Chrome exploits.

Re:Is IE Really to Blame?

[parkinglot777]

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

The vulnerability exists in IE version 9 & 10 themselves at http://technet.microsoft.com/e... (from TFA). The problem in this case is not about users hit the site which is already compromised, but it is that the browser being used allows exploitation to happen. Furthermore, MS has not come out with an official patch but rather suggested a work around.

If other browser has exactly the same vulnerability that can be exploited the same way, then your statement is somewhat valid. However, I doubt that other browsers would have it even though they may have similar vulnerability but cannot be exploited the same way.