From the Washington Post:
Newly Detected IE Exploit Spells Massive Spyware Trouble
A previously undocumented flaw in Microsoft's Internet Explorer Web browser is reportedly being exploited by online criminals to install an entire kitchen sink of malicious software on any computer that visits any of a handful of sites currently exploiting the vulnerability.
Researchers at Sunbelt Software discovered the exploit last week while conducting some routine online surveillance of known crimeware gangs. According to Sunbelt researcher Eric Sites, the exploits at the moment appear to be hosted mainly on hardcore porn sites. But if past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage.
According to Sites, among the nasty pieces of software an IE user can expect to be whacked with upon visiting one of the sites is the BigBlue keystroke logger, which monitors and captures data from computers including screenshots, keystrokes, web cam and microphone data; it also records instant messaging chat sessions, e-mail information and the Web sites visited by the user.
The exploit is also being used to install the incredibly invasive Spybot worm and VXGame Trojan, as well as adware titles that scam artists profit from on a per installation basis, such as Virtumondo, SafeSurfing, Avenue Media, WebHancer, Internet Optimizer, SurfSidekick, DollarRevenue, and the bogus anti-spyware program SpySheriff.
And that's not even the half of it, Sites said. "We haven't even fully analyzed this piece of malware yet."
Sites said Sunbelt had notified Microsoft of the discovery. I put in a call to the company late Monday but haven't heard back yet. I will update the blog when I hear back or when the company issues an advisory about this.
This whole thing is starting to smell a lot like the activity that preceded similar attacks on an unpatched IE flaw at the beginning of the year. For a week or so at the end of 2005, a handful of crime groups were using an undocumented IE vulnerability to attack people who visited a small number of fringe or hardcore porn Web sites, and Microsoft downplayed the threat from it by noting that fact. As the new year arrived, however, hundreds of legitimate Web sites had been compromised and were installing spyware on the computers of any user who visited them with the IE browser.
"Usually, as soon as we see these things in the wild like this they start spreading very quickly," Sites said.
Sites said the flaw appears to be the result of Microsoft's implementation in IE of "vector mark-up language," or "VML" for short -- an XML Web programming language used to create scalable graphics.
This new exploit, combined with two other publicly available exploits for a separate, unpatched IE flaw, should give pause to anyone using the Microsoft browser. My advice: If you or someone you care about is in the habit of cruising the Web with IE, now would be a very good time to get acquainted with another browser that doesn't use IE's rendering engine, such as Firefox or Opera.
But if IE is your browser of choice, make sure you have Windows set to receive automatic software updates, and be very careful about visiting Web sites that are off the Internet's beaten path.
Update, Sept. 19, 12:06 a.m.: I neglected to mention that IE users can mitigate this flaw by disabling Javascript in the browser. To do this, click on "Tools," then "Options," and then on the "Security" tab, scroll down to the section marked "Scripting," select either the option for "prompt" or "disable" of active scripting.
Update, Sept. 19, 12:08 p.m.: Microsoft is now acknowleging the existence of this flaw, which it said "could allow an attacker to execute arbitrary code on the user's system," and that Redmond "is aware of limited attacks that attempt to exploit the vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted."
Microsoft may quickly find that sooner is in fact warranted in this case. It's worth noting that once again online crooks have waited until just after Microsoft releases its monthly patches to begin exploiting this new flaw (Sunbelt said it first spotted this new exploit last week, just hours after Patch Tuesday). The bad guys appear to be gaming Microsoft's patch process with a fair degree of regularity.
By Brian Krebs | September 18, 2006; 10:25 PM ET | Category: Latest Warnings
Guarding Against the New IE Exploit
Earlier this week Security Fix wrote about a newly discovered vulnerability in Microsoft's Internet Explorer Web browser that bad guys were exploiting to install malicious software when users merely browsed certain nasty Web sites.
That post advised users who wanted to continue using IE to jack up the Javascript security settings on the browser, but as the most recent attacks with this exploit have shown, the bad guys don't need to use Javascript to execute their attacks with this vulnerability.
Microsoft has since published an advisory with a workaround that seems to be pretty effective at stopping these attacks, pending the release of a patch from Microsoft (the company says it may not arrive until Oct. 10). The temporary fix involves "unregistering" the vulnerable Windows component, and is pretty straightforward step that should help mitigate this threat.
The problem is present in all versions of IE 5.0 and higher, according to US-CERT. I have not seen anyone test this exploit against IE 7 yet, but I've not heard of any evidence that the later version is vulnerable.
The following workaround works on Windows XP Service Pack 1 and 2, Windows Server 2003 and Windows Server 2003 Service Pack 1:
1) Open up a command prompt: Click "Start," then "Run," and a text box should pop up.
2) Cut and paste the following text into that box: regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll
3) Then hit enter or click "Ok." You should then receive a pop-up window stating that the vulnerable component has been unregistered.
Even if you don't use IE as your default browser, disabling this Windows component may prove essential. One need only look back at the security headaches Windows users had earlier this year with the Windows meta file (WMF) vulnerabilities, when Microsoft was forced to issue a patch outside of its normal monthly patching process in part due to the creation of unofficial patches from third-party security vendors.
With that problem, it was sufficient for Windows users merely to have the vulnerable WMF component active on a system for it to be compromised by a variety of different means, whether through a third-party e-mail client or other software that might invoke the flawed component.
Incidentally, anyone willing to take bets on how long it will be until we start to see a repeat of third-party patches to fix this problem?
By Brian Krebs | September 21, 2006; 2:29 PM ET | Category: Latest Warnings
Newly Detected IE Exploit Spells Massive Spyware Trouble
A previously undocumented flaw in Microsoft's Internet Explorer Web browser is reportedly being exploited by online criminals to install an entire kitchen sink of malicious software on any computer that visits any of a handful of sites currently exploiting the vulnerability.
Researchers at Sunbelt Software discovered the exploit last week while conducting some routine online surveillance of known crimeware gangs. According to Sunbelt researcher Eric Sites, the exploits at the moment appear to be hosted mainly on hardcore porn sites. But if past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage.
According to Sites, among the nasty pieces of software an IE user can expect to be whacked with upon visiting one of the sites is the BigBlue keystroke logger, which monitors and captures data from computers including screenshots, keystrokes, web cam and microphone data; it also records instant messaging chat sessions, e-mail information and the Web sites visited by the user.
The exploit is also being used to install the incredibly invasive Spybot worm and VXGame Trojan, as well as adware titles that scam artists profit from on a per installation basis, such as Virtumondo, SafeSurfing, Avenue Media, WebHancer, Internet Optimizer, SurfSidekick, DollarRevenue, and the bogus anti-spyware program SpySheriff.
And that's not even the half of it, Sites said. "We haven't even fully analyzed this piece of malware yet."
Sites said Sunbelt had notified Microsoft of the discovery. I put in a call to the company late Monday but haven't heard back yet. I will update the blog when I hear back or when the company issues an advisory about this.
This whole thing is starting to smell a lot like the activity that preceded similar attacks on an unpatched IE flaw at the beginning of the year. For a week or so at the end of 2005, a handful of crime groups were using an undocumented IE vulnerability to attack people who visited a small number of fringe or hardcore porn Web sites, and Microsoft downplayed the threat from it by noting that fact. As the new year arrived, however, hundreds of legitimate Web sites had been compromised and were installing spyware on the computers of any user who visited them with the IE browser.
"Usually, as soon as we see these things in the wild like this they start spreading very quickly," Sites said.
Sites said the flaw appears to be the result of Microsoft's implementation in IE of "vector mark-up language," or "VML" for short -- an XML Web programming language used to create scalable graphics.
This new exploit, combined with two other publicly available exploits for a separate, unpatched IE flaw, should give pause to anyone using the Microsoft browser. My advice: If you or someone you care about is in the habit of cruising the Web with IE, now would be a very good time to get acquainted with another browser that doesn't use IE's rendering engine, such as Firefox or Opera.
But if IE is your browser of choice, make sure you have Windows set to receive automatic software updates, and be very careful about visiting Web sites that are off the Internet's beaten path.
Update, Sept. 19, 12:06 a.m.: I neglected to mention that IE users can mitigate this flaw by disabling Javascript in the browser. To do this, click on "Tools," then "Options," and then on the "Security" tab, scroll down to the section marked "Scripting," select either the option for "prompt" or "disable" of active scripting.
Update, Sept. 19, 12:08 p.m.: Microsoft is now acknowleging the existence of this flaw, which it said "could allow an attacker to execute arbitrary code on the user's system," and that Redmond "is aware of limited attacks that attempt to exploit the vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the October security updates on October 10, 2006, or sooner as warranted."
Microsoft may quickly find that sooner is in fact warranted in this case. It's worth noting that once again online crooks have waited until just after Microsoft releases its monthly patches to begin exploiting this new flaw (Sunbelt said it first spotted this new exploit last week, just hours after Patch Tuesday). The bad guys appear to be gaming Microsoft's patch process with a fair degree of regularity.
By Brian Krebs | September 18, 2006; 10:25 PM ET | Category: Latest Warnings
Guarding Against the New IE Exploit
Earlier this week Security Fix wrote about a newly discovered vulnerability in Microsoft's Internet Explorer Web browser that bad guys were exploiting to install malicious software when users merely browsed certain nasty Web sites.
That post advised users who wanted to continue using IE to jack up the Javascript security settings on the browser, but as the most recent attacks with this exploit have shown, the bad guys don't need to use Javascript to execute their attacks with this vulnerability.
Microsoft has since published an advisory with a workaround that seems to be pretty effective at stopping these attacks, pending the release of a patch from Microsoft (the company says it may not arrive until Oct. 10). The temporary fix involves "unregistering" the vulnerable Windows component, and is pretty straightforward step that should help mitigate this threat.
The problem is present in all versions of IE 5.0 and higher, according to US-CERT. I have not seen anyone test this exploit against IE 7 yet, but I've not heard of any evidence that the later version is vulnerable.
The following workaround works on Windows XP Service Pack 1 and 2, Windows Server 2003 and Windows Server 2003 Service Pack 1:
1) Open up a command prompt: Click "Start," then "Run," and a text box should pop up.
2) Cut and paste the following text into that box: regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll
3) Then hit enter or click "Ok." You should then receive a pop-up window stating that the vulnerable component has been unregistered.
Even if you don't use IE as your default browser, disabling this Windows component may prove essential. One need only look back at the security headaches Windows users had earlier this year with the Windows meta file (WMF) vulnerabilities, when Microsoft was forced to issue a patch outside of its normal monthly patching process in part due to the creation of unofficial patches from third-party security vendors.
With that problem, it was sufficient for Windows users merely to have the vulnerable WMF component active on a system for it to be compromised by a variety of different means, whether through a third-party e-mail client or other software that might invoke the flawed component.
Incidentally, anyone willing to take bets on how long it will be until we start to see a repeat of third-party patches to fix this problem?
By Brian Krebs | September 21, 2006; 2:29 PM ET | Category: Latest Warnings
