Posted on 09/21/2006 5:31:55 PM PDT by Eagle9
Exploits against the unpatched vulnerability in Microsoft's Internet Explorer are increasing and attackers are gathering momentum, researchers said Thursday. They warned that the problem would become worse if cyber criminals attack via e-mail next.
"It might come to nothing, but it feels like a storm's coming," said Roger Thompson, the chief technology officer at Exploit Prevention Labs. "The potential is there. Call it a storm watch, not a storm warning."
At least two different exploits have appeared this week, said Thompson, one linked to the Russian-made hacker exploit kit called WebAttacker, the other posted early Thursday on the xSec gray-hat vulnerability research site. That second exploit can launch remote code without using JavaScript, as did the original inserted in the WebAttacker kit; it's more dangerous for that reason.
"The xSec exploit doesn't work as posted," said Thompson. "It only crashes the browser. But it looks like it would be easy to turn it into a working exploit."
Worse, the current attack vector -- malicious Web sites that infect only those who happen to view one of their pages -- may be replaced by a wide scale attack carried out by e-mail, said Ken Dunham, the director of iDefense's rapid response team.
"The newest exploit works with e-mail," said Dunham. "We took the newest version of Outlook, all patched, and the exploit crashed it." With some help from iDefense researchers, however, the exploit was able to execute other code. That means e-mail clients that preview HTML messages using the IE rendering engine are at risk. Just previewing a message could result in a computer hijacked by a bot or loaded with adware, spyware, or other malicious code.
"You would be attacked immediately, as soon as the preview is rendered," said Dunham.
Dunham's surer than Thompson that the VML vulnerability will soon explode. "It's imminent. I would not be surprised if a small number of e-mails were already being sent to companies or governments."
Dunham cited the WMF (Windows Metafile Format) vulnerability of late December 2005 to the current situation. "Within 24 hours, targeted e-mail attacks were made against the Korean government and the U.K. Parliament. I think [the VML vulnerability] will rival WMF." Dunham said. "It's trivial to change."
An e-mail attack was also on Thompson's mind. "I'm watching some big spam runs that are linking to older versions of WebAttacker," he said. "Some of these sites use the power of spam to magnify their attacks, and the power of the Web to draw in people." It would be very easy, Thompson said, for a spammer to simply insert a link to a URL hosting the newest edition of WebAttacker -- the edition with the VML exploit -- in the junk mail he sends out.
"It would be nice if Microsoft released a patch," he added. But there are no indications that Microsoft will break from its regular security update schedule, which is set to release fixes on Oct. 12, two-and-a-half weeks away.
For Dunham, it wouldn't be a stretch to assume that slick, sophisticated cyber criminals will target specific organizations -- companies, universities, and government agencies -- with e-mail infections. "There are people out there with a military or state or political agenda. They have targets, and they've identified those targets. All they're doing is looking for a way to compromise those computers."
The motivation? One of the oldest in the book: Money. "There is a market in the underground for corporate or government secrets," said Dunham. "An attack [like this] could even threaten a country's national security."
Microsoft has faced similar situations this year, and patched out-of-cycle only once, against the WMF bug in early January, and then only after the number of sites hosting an exploit ballooned in just days. "If anything breaks, I think they will release a patch," said Thompson. "But it's not a storm yet."
bump
So maybe it's 99.99% written for Windows and the rest for everything else.
Besides, anything targeted for a Linux box would need root access to do major damage. The typical Linux user isn't running as root unless he has too.
Well, I'm no expert on Linux but there are viruses that go after Macs. At work, I see a virus alert from our computer people warning everyone who uses a Mac to watch out for a new virus.
Uh, it's because most people blame the hackers for viruses, not Microsoft. Microsoft = users, either you help them or you hurt them with new software.
To date there have been NO reported, confirmed virus or other malware attacks against Mac OS X. What you're hearing are rumors. Just ignore them. Better yet, get a Mac and stop worrying completely.
I despise Macs. I've used them enough at work and would never own one.
Yeah, the NBM crowd's dream. The difference is that they wouldn't work on those other systems because the security model is actually coherent, and the applications are NOT part of the operating system.
Duhhhhh....
That's the fun part. There are many programs out there that use IE to render HTML, so even if a person stops using IE to protect himself he may not know that other programs are using IE under the hood, leaving him vulnerable.
Accounting apps may be a bit more difficult to come by.
Regards, Ivan
First, dump Outlook and use Thunderbird. Second, go into your IE settings, on the Security tab. Set the Internet zone to the high-security mode, go in and make sure everything is completely disabled. Same thing for Local Intranet and Restricted Sites. Then go to Trusted Sites and make sure the only thing in there is the Windows Update site.
It's not 100%, but it will help narrow your window of vulnerability if you never use IE.
I'm not saying any of them suit you, but they are out there. I believe MyBooks works on all three platforms. Then there's MYOB and Liquid Ledger. Others are Java server-based, so will work on Mac or Linux.
To narrow your vulnerability, you can use Firefox with the IE Tab extension. With a click it'll open a tab that is rendered by IE. You can also specify certain sites that will always be rendered by IE. Otherwise, you just use Firefox.
How about Firefox?
I use IE at work. I have no choice. All of my other computers use Firefox and have for quite some time. I learned of it here at Freerepublic, of course.
There have been experimentals and proofs of concept, but none have been able to survive and propagate in the wild. The one successful infection I know of is a guy who downloaded a file that claimed to be a pirated MS Office off a p2p network. He went to install it, purposely typed in the admin password to let it install, and watched it wipe out his user account. No OS can protect itself from people that dumb.
It didn't affect the rest of the system though. Access to the root account to do that is disabled by default, and it takes a specific procedure to enable it, never going to happen by accident.
What most Microsoft defenders don't realize is that the above is complete and total hogwash.
Firefox now has 10% of browser market share. While 10% may not sound like much it represents a huge number of users when you consider the total number of folks on the net. That also doesn't take into consideration that many people fake their browser responses to make it seem as though they are using IE so stupid websites that require IE for no legitimate reason will work.
Let's take one case in point to show how bogus the concept of "too few users to matter" really is. There are people out there who will write viruses to muck things up just because they can.
From the friendly article:
On Friday March 19, 2004 at approximately 8:45pm PST, an Internet worm began to spread, targeting a buffer overflow vulnerability in several Internet Security Systems (ISS) products, including ISS RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE. The worm takes advantage of a security flaw in these firewall applications that was discovered earlier this month by eEye Digital Security. Once the Witty worm infects a computer, it deletes a randomly chosen section of the hard drive, over time rendering the machine unusable. The worm's payload contained the phrase "(^.^) insert witty message here (^.^)" so it came to be known as the Witty worm.
...
Witty infected only about a tenth as many hosts than the next smallest widespread Internet worm. Where SQL Slammer infected between 75,000 and 100,000 computers, the vulnerable population of the Witty worm was only about 12,000 computers.
Note in the above that the entire population of vulnerable computers was just 12,000, an insignificant number of hosts when you consider how many devices are on the internet.
The Victims:
The vulnerable host population pool for the Witty worm was quite different from that of previous virulent worms. Previous worms have lagged several weeks behind publication of details about the remote-exploit bug, and large portions of the victim populations appeared to not know what software was running on their machines, let alone take steps to make sure that software was up to date with security patches. In contrast, the Witty worm infected a population of hosts that were proactive about security -- they were running firewall software. The Witty worm also started to spread the day after information about the exploit and the software upgrades to fix the bug were available.
O.k., so you have a small pool of vulnerable hosts, and the users at least have the presense of mind to be running a firewall, yet someone took the time to craft and deploy this worm.
Are you sure you still want to claim that there just aren't enough Linux or OSX users out there to make it a tempting target?
That's not even taking psychology into account. There are groups out there who do this kind of thing for fun (and sometimes profit). The bragging rights to having created the first successful OSX worm should be tempting enough if it were as easy a target as MS-Windows apparently is.
What most Microsoft haters won't admit is that any program can be hacked and sooner or later, it will be.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.