Posted on 09/21/2006 5:31:55 PM PDT by Eagle9
Exploits against the unpatched vulnerability in Microsoft's Internet Explorer are increasing and attackers are gathering momentum, researchers said Thursday. They warned that the problem would become worse if cyber criminals attack via e-mail next.
"It might come to nothing, but it feels like a storm's coming," said Roger Thompson, the chief technology officer at Exploit Prevention Labs. "The potential is there. Call it a storm watch, not a storm warning."
At least two different exploits have appeared this week, said Thompson, one linked to the Russian-made hacker exploit kit called WebAttacker, the other posted early Thursday on the xSec gray-hat vulnerability research site. That second exploit can launch remote code without using JavaScript, as did the original inserted in the WebAttacker kit; it's more dangerous for that reason.
"The xSec exploit doesn't work as posted," said Thompson. "It only crashes the browser. But it looks like it would be easy to turn it into a working exploit."
Worse, the current attack vector -- malicious Web sites that infect only those who happen to view one of their pages -- may be replaced by a wide scale attack carried out by e-mail, said Ken Dunham, the director of iDefense's rapid response team.
"The newest exploit works with e-mail," said Dunham. "We took the newest version of Outlook, all patched, and the exploit crashed it." With some help from iDefense researchers, however, the exploit was able to execute other code. That means e-mail clients that preview HTML messages using the IE rendering engine are at risk. Just previewing a message could result in a computer hijacked by a bot or loaded with adware, spyware, or other malicious code.
"You would be attacked immediately, as soon as the preview is rendered," said Dunham.
Dunham's surer than Thompson that the VML vulnerability will soon explode. "It's imminent. I would not be surprised if a small number of e-mails were already being sent to companies or governments."
Dunham cited the WMF (Windows Metafile Format) vulnerability of late December 2005 to the current situation. "Within 24 hours, targeted e-mail attacks were made against the Korean government and the U.K. Parliament. I think [the VML vulnerability] will rival WMF." Dunham said. "It's trivial to change."
An e-mail attack was also on Thompson's mind. "I'm watching some big spam runs that are linking to older versions of WebAttacker," he said. "Some of these sites use the power of spam to magnify their attacks, and the power of the Web to draw in people." It would be very easy, Thompson said, for a spammer to simply insert a link to a URL hosting the newest edition of WebAttacker -- the edition with the VML exploit -- in the junk mail he sends out.
"It would be nice if Microsoft released a patch," he added. But there are no indications that Microsoft will break from its regular security update schedule, which is set to release fixes on Oct. 12, two-and-a-half weeks away.
For Dunham, it wouldn't be a stretch to assume that slick, sophisticated cyber criminals will target specific organizations -- companies, universities, and government agencies -- with e-mail infections. "There are people out there with a military or state or political agenda. They have targets, and they've identified those targets. All they're doing is looking for a way to compromise those computers."
The motivation? One of the oldest in the book: Money. "There is a market in the underground for corporate or government secrets," said Dunham. "An attack [like this] could even threaten a country's national security."
Microsoft has faced similar situations this year, and patched out-of-cycle only once, against the WMF bug in early January, and then only after the number of sites hosting an exploit ballooned in just days. "If anything breaks, I think they will release a patch," said Thompson. "But it's not a storm yet."
New Exploit Rocks IE, Downloads Scores Of Spyware, Adware (9/19/2006)
http://www.freerepublic.com/focus/f-news/1704561/postsHow To Defend Against IE's VML Bug
http://www.freerepublic.com/focus/f-news/1705072/posts (9/20/2006)IE Exploit Could Soon Be Used By 10,000-plus Sites (9/20/2006)
http://www.techweb.com/wire/security/193004128;jsessionid=UFDKNTP55TK0OQSNDLRSKHSCJUNN2JVN
___________________________________________________________
At least two different exploits have appeared this week, said Thompson, one linked to the Russian-made hacker exploit kit called WebAttacker, the other posted early Thursday on the xSec gray-hat vulnerability research site. That second exploit can launch remote code without using JavaScript, as did the original inserted in the WebAttacker kit; it's more dangerous for that reason.
"The newest exploit works with e-mail," said Dunham. "We took the newest version of Outlook, all patched, and the exploit crashed it." With some help from iDefense researchers, however, the exploit was able to execute other code. That means e-mail clients that preview HTML messages using the IE rendering engine are at risk. Just previewing a message could result in a computer hijacked by a bot or loaded with adware, spyware, or other malicious code.
"You would be attacked immediately, as soon as the preview is rendered," said Dunham.
Dunham's surer than Thompson that the VML vulnerability will soon explode. "It's imminent. I would not be surprised if a small number of e-mails were already being sent to companies or governments."
________________________________________________________________________
Secunia rated this Highly Critical on 9/19/06 and that was before the second exploit had been discovered.
bttt
It is amazing that nobody has started a class-action lawsuit against Micro$oft for costing BILLIONS to the US and world economy and delivering invaluable tools to thousands of crooks and criminals worldwide.
But Apple has 3 class-action lawsuits because some people's iPods have scratches!
CAN YOU BELIEVE THAT?
F*CK BILL GATES and his millions of morons that buy his pathetic products.
This is why I have AVG Anti-Virus Free Edition 7.1.405 constantly updated with the latest antivirus definitions.
Actually it is. Any Windows proram that uses the vgx.dll is vulnerable.
Several articles have said it isn't.
When will people learn to stop using I.E? Ever notice that these problems didn't exist when Netscape had the browser market? IE is junk; always was, always will be. Use Firefox, Flock, Sea Monkey, or Opera.
Yeah. Seems to be a lot of conflicting info out there. Not sure what to believe.
So?? There will be new issues once IE7 is official... just like there are with every other browser with a decent market share.
Now THERE'S a headline you don't see very often!
SNORT!!!
I've used Firefox for years and have Opera 9.1 as my backup, with bookmarks from Firefox.
We're all doooooooomed!!!!!!!
http://www.symantec.com/security_response/writeup.jsp?docid=2006-091914-1801-99
Yeah, that is something the Microsoft bashers don't realize. If 90% of us used Linux or Apples, then 90% of the viruses and spyware would be made for those systems.
Zero day exploits and drive-by downloads are even more inconvenient. Stick with FF. Better yet, ditch Windows.
We are in the mortgage business and most of the online underwriting, credit reporting agencies, and other entities require us to use IE. It would be nice to be a techie and just be able to browse around all day using some other browser but we can't.
So, which systems do the other 10% attack? I know of no viruses or spyware that affect any Linux distribution or Apple's OS at all.
They exist but are fairly rare which is why you don't hear about them.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.