IE Exploit Strikes, Installs Spyware

Yahoo ^ | Mar 24 | Gregg Keizer

[Gomez]

The unpatched CreateTextRange vulnerability in Internet Explorer is already being used by at least one Web site to install spyware on users' machines, a security organization said Friday.

"We just received a report that a particular site uses the vulnerability to install a spybot variant," the SANS Institute's Internet Storm Center (ISC) warned Friday in an alert. "It is a minor site with insignificant visitor numbers according to Netcraft's 'Site rank.'"

Disclosed only Wednesday, the flaw in IE 5.01, 6.0, and the January version of IE 7 Beta 2 Preview has security vendors worried because a patch isn't available from Microsoft. Thursday, as news circulated that a working exploit had been publicly posted, Microsoft said it was working on a fix.

Even before the site exploiting the CreateTextRange bug was discovered, security companies had raised alarms. The ISC bumped up its InfoCON level to "yellow" for the first time since the Windows Metafile fiasco in late December, when another "zero-day" flaw hit Windows users.

"It's a relatively trivial mod[ification] to turn [the exploit] into something more destructive," the ISC warned. "For that reason, we're raising Infocon to yellow for the next 24 hours."

Symantec raised its ThreatCon status indicator to "2" and boosted its Internet Threat Meter's warning for Web activities to "medium" because of the bug.

Although it's unclear exactly whether the Spybot-distributing site is drawing users to its poison or simply waiting for the unwary to stumble across the URL, it's likely the former, Scott Carpenter, director of security at Secure Elements, said in an e-mail to TechWeb. "The most probable vector for this worm will be in the form of spam with malicious links that will tempt users into clicking on a link that takes them to a malicious site."

In December (and after), hundreds of sites used the Windows Metafile bug to load spyware, including keyloggers and backdoor Trojans, onto unsuspecting users' PCs.

Rumors that Microsoft would release a patch before April 11, the next regularly-scheduled patch day -- such releases are dubbed "out-of-cycle" -- was quashed by a Microsoft spokesman who refused to commit the company to a date.

"Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers," he said in a verbatim repeat of Thursday's advisory. "This will either take the form of a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

So, what should users expect, say, over the weekend and early next week?

"It's hard to say at the moment, since this is just the beginning," said Alain Sergile, a technical product manager at Internet Security Systems' X-Force research. "But if SANS' report is accurate, I think we'll see additional targeted attacks where spam is sent to users at a specific organization in the hope that someone clicks on the link and downloads the malicious code so the attacker can infiltrate the network."

Because it remains an unpatched vulnerability, "everyone should consider this a zero-day kind of threat," added Sergile. "That means people will be caught flat footed."

Microsoft has recommended that users disable Active Scripting in IE until a patch is posted, but Sergile said that wasn't really a workable solution. "That will kill the capability of a large number of Web sites. The Web isn't much fun without those [scripting] capabilities." Instead, he recommended users visit only sites they know are safe.

Or turn to another browser. "The problem is in how Internet Explorer interprets the scripting call. Firefox doesn't have this problem

[sionnsar]

Instead, he recommended users visit only sites they know think are safe.

[Number57]

I stubbornly held onto IE for the longest time, even after I started using Firefox, mainly for viewing sites Firefox couldn't display. That all ended when I downloaded the newest beta version of IE a few weeks ago. While it had some great improvements (some would argue that they're stolen directly from Firefox), it screwed my screen resolution up and text just looked weird on it. So I uninstalled & haven't bothered to reinstall since. Firefox still needs some tweaking, but security is more important than media-capabilities, IMO.

[Turbopilot]

Step-by-step directions for disabling Active Scripting.

Another, more comprehensive option is to set your security level to "High" as opposed to "Medium" or "Custom", and then add site that require additional functionality and that you trust to the "Trusted" domain. This method creates a sort of "opt-in" method of Web safety, where essentially no site can do anything except display basic HTML unless you specifically permit it by adding it to the safe list.

Other options are switching to Firefox or Opera web browsers, or doing everyday tasks under a "User" rather than an "Administrator" account. However, these options are impractical for some people.

[TBP]

Other options are switching to Firefox or Opera web browsers

Puccini or Verdi?

[Turbopilot]

Those are old versions. You'll want to update to Tommy or Quadrophenia.

[TBP]

Or "Phantom"

[Panerai]

[conservativefreak]

"However, these options are impractical for some people."

Why would these options be impractical? Using Opera or Firefox or Safari or Konqueror is a lot more secure than using I.E, and they're not that hard to install.

[Turbopilot]

In my opinion, using another browser is practical - I've used Firefox almost exclusively for about a year, and haven't found any web sites with which it's not fully compatible. I've also tried Opera 8.5 and found it fully compatible with the sites I typically use, although I ended up preferring Firefox (and its extensions) so I don't use Opera much anymore. I have heard, though, that some sites (though none that I use) just will not work with anything other than IE, and if someone is a frequent user of such sites it would obviously be impractical to switch.

The main point of my comment about impracticality was logging in as a user rather than an administrator. While XP itself makes that option quite easy to use, the problem is that so many Windows applications aren't designed to run under limited user privileges, so it can be a pain for someone (like me) who is the sole user of their computer to set things up as an admin, recreate their entire user profile under a limited user login, and then login to specific programs with a secondary login to operate various software. IMHO the ideal solution would be a method that would "clone" user accounts, so for example I could have the same desktop, start menu, and programs installed, but unless I do a secondary login with an admin password my programs are limited to user-mode functionality. Supposedly, Vista will have such an option, although for now I feel quite secure with my current XP setup, admin login and everything.

[backhoe]

From my files:

These are some recommendations that will significantly decrease the chances that you will have problems with malware in the future:

1) Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Microsoft Anti-Spyware

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Keeping these programs up-to-date and running them regularly can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. A good free firewall is ZoneAlarm.
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: So how did I get infected in the first place?

 

Things you need(all FREE)
Anti-Virus
AVG

Avast
Firewall
Kerio(Direct Download)

Zone Alarm
Misc.
IE Spyads SpywareBlaster Spyware Guard
Windows Update
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

 

Run a hardware firewall-- with today's LAN's, it's easy. You need a hardware firewall.

[ThreePuttinDude]

BTTT

[GiovannaNicoletta]

bookmark