Wave of malicious websites exploit new IE vulnerability

Posted on 29 Mar 2006 at 10:41

Microsoft's week of woes continues with the news that a number of malicious sites have cropped up taking advantage of an unpatched bug in Internet Explorer.

Redmond is seeking to reassure customers that it is addressing the problem that affects the vast majority of copies of Internet Explorer in the hands of customers - including fully patched versions of Windows XP with SP2. The exploit can be triggered simply by visiting a maliciously crafted web site.

Microsoft says that at the moment it is 'seeing only limited attacks' that make use of the vulnerability, although security firms are saying that they have received 'numerous reports' of malicious sites hosting the exploit.

The vulnerability, which has been rated as 'Highly Critical' by security firm Secunia, takes advantage of an unpatched flaw in all versions of Internet Explorer running with Windows 2000, Windows XP and Windows Server 2003, as well as the Internet Explorer 7 Beta 2 Preview version. It arises from the way in which Internet Explorer interprets the 'createTextRange()' code commonly used in radio button controls in HTML forms. Once triggered, program flow is directed to the heap at which point the hacker can exploit the vulnerability to run malicious code on the computer.

Microsoft is reassuring IE users that the company has the threat in hand. Stephen Toulouse, the Communications Manager for Security Response at Microsoft writes in a blog 'Our anti-malware team...has uploaded removal information for the attacks to date to Windows Live Safety Center. I want to reiterate that the IE team has the update in process right now and if warranted we'll release that as soon as it's ready to protect customers' At the moment Microsoft plans to release a fix on the next patch Tuesday due on 11 April.

However, security firm eEye Digital Security say there have been numerous reports of this vulnerability being used on various websites in attempts to install Spyware and remote control bot software for use in Distributed Denial of Service (DDoS) attacks.

eEye says that users worried about the vulnerability should disable Active Scripting from within Internet Explorer. It has also posted its own unofficial 'temporary patch' in the absence of an official fix from Microsoft.

Microsoft however warns users to be wary of third-party fixes. Mike Reavey of Microsoft's Security Response Center said: 'Some of these solutions make modifications to Windows itself to bypass the attack vector of the vulnerability. Of course, while the IE team is working on an update to address the problem, we certainly recommend a defense in depth strategy that involves third party tools such as AntiVirus or IDS/IPS solutions. However we cannot recommend third party solutions that modify the way the product itself operates. The reason is really around the fact that we carefully review and test our security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. And for IE it's not only application compatibility, but web compatibility also. Our updates are offered in 23 languages simultaneously for all affected versions of the software. Microsoft cannot provide similar assurance for independent third party security updates or mitigation tools.'

Author: Steve Malone