IE under attack: Microsoft ponders emergency patch
Microsoft confirms a wave of drive-by downloads targeting a zero-day browser vulnerability and says Internet Explorer users can expect a patch on April 11, if not sooner. Malicious hackers are using hijacked Web servers and compromised sites to launch a wave of zero-day attacks against an unpatched flaw in Microsoft's Internet Explorer browser. The first wave of drive-by downloads was spotted on March 25, and security experts tracking the attack say the threat is growing at a rate of 10 new malicious URLs every hour. eWEEK has seen a list of more than 20 unique domains and 100 unique URLs hosting the exploits, which are dropping a variant of SDbot, a virulent family of backdoors that give hackers complete ownership of infected computers. SDbot allows attackers to control victims' computers remotely by sending specific commands via IRC (Inter Relay Chat) channels. It has been used to seed botnets and plant keystroke loggers for use in identity theft attacks. The Microsoft Security Response Center has confirmed the attacks but insists they are "limited in scope." "Here's what we know. The attacks are limited in scope for now and are being carried out by malicious websites exploiting a vulnerability in the method by which Internet Explorer handles HTML rendering," said MSRC Program Manager Stephen Toulouse. "[We're] working day and night on development of a cumulative security update for Internet Explorer that addresses the vulnerability," Toulouse said in a blog entry posted at 5:21 a.m. on March 25. He said the IE patch is "on schedule" to ship as part of next month's Patch Tuesday, which will take place on April 11, but the company is not ruling out an emergency, out-of-cycle release if the threat escalates. "We'll release it sooner if warranted," Toulouse said. The attacks come less than 24 hours after Microsoft issued an advisory with interim workarounds for customers running IE on supported versions of Windows 2000, Windows XP and Windows Server 2003. According to Dan Hubbard, senior director of security and technology research at Websense Security Labs, his company's honeyclient crawler is capturing about 10 new malicious URLs every hour. "This looks very much like the WMF [Windows Metafile] attacks, [and] it appears to be just the beginning," Hubbard said in an interview with eWEEK. Hubbard, who was the first to discover the WMF zero-day attacks in the wild last December, said there is evidence that the attackers are currently testing different types of exploits on hijacked websites. "Some of these attackers are the same people that were exploiting the WMF vulnerability. They're using the same websites," Hubbard said. "This will continue to get worse over the weekend especially if they can figure out how to get the exploits to work efficiently. "One of the interesting things we're seeing is that the shell code doesn't work on a lot of these sites. That suggests they're testing the exploits and getting ready to do some major damage," he added. In addition to SDbot variants, Hubbard said the sites are dumping spyware and keystroke loggers on machines without requiring any user action. "Simply surfing to these sites will hose your machine," he warned. Although the attacks do not require any user action—simply surfing to a rigged site will trigger the exploit—researchers at Florida-based anti-spyware outfit Sunbelt Software said the WMF exploit, which used malicious images to execute the malware payload, was much more dangerous. "I don't want to spread undue panic. This is not like the WMF exploit, which had the cruel aspect of using a graphic file to execute a payload," said Sunbelt President Alex Eckelberry. "This fact broadened the attack vectors to graphics embedded in emails, graphics being viewed through Google Desktop [and other applications]. "This is not the same type of exploit. You still have to visit a specific page to get infected, [but] it does not affect email and the like," Eckelberry added. On the Websense blog, Hubbard has posted a screenshot of a golfing site that has been hijacked to serve up exploits. "The sheer percentage of sites that are compromised versus owned by the attacker is higher than usual," Hubbard noted. In particular, he said several travel-related sites that are hosted on different networks. Roger Thompson, a security researcher attached to Atlanta-based Exploit Prevention Labs, expects to see more than 5,000 malicious sites over the next few days. "You can expect to see rootkits coming down the pipe within the next 24 hours," Thompson said. Hubbard also suspects that a Web server exploit is being used in combination with the IE exploit to push the malicious code onto servers and then to clients. "In recent weeks we have also seen increases on our honeypots for several bulletin board programs, most notably PHPBB," he added. In the absence of a patch, Microsoft recommends that IE users configure the browser to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone. In addition, IE users can set Internet and Local intranet security zone settings to "High" to prompt before Active Scripting in these zones. The company is preparing a comprehensive patch to correct the vulnerability, which is caused by an error in the processing of the "createTextRange()" method call applied on a radio button control. UKFast is not responsible for the content of external Internet sites.