New Microsoft Internet Explorer allows flaw

By SHAUN WATERMAN, UPI Homeland and National Security Editor  |  Dec. 11, 2008 at 8:10 PM
share with facebook
share with twitter

WASHINGTON, Dec. 11 (UPI) -- Software giant Microsoft is advising users of its Internet Explorer browser to turn their security settings to the highest levels to guard against a newly discovered flaw that enables hackers to take over the computer of anyone visiting a compromised Web site.

Such "drive-by downloads" are especially dangerous because malicious software is loaded as soon as the victim computer arrives at the site, without the user having to take any additional action, such as clicking on a pop-up window. Hackers can even load exploits into fake banner advertisements on innocent Web sites, if they can get access to the server that hosts them.

A security advisory from Microsoft said its researchers were "actively investigating the vulnerability," which had not been widely exploited by hackers so far. "On completion of this investigation, Microsoft will take the appropriate action to protect our customers."

"At this time, we are aware only of limited attacks that attempt to use this vulnerability," reads the advisory, adding that "they are not successful against customers who have applied the workarounds listed."

Customers are warned to turn the security-level setting on Internet Explorer to high, or to take other actions to prevent Explorer running Web scripts automatically. Such scripts animate banner ads or other moving pictures and interactive features, and disabling them interferes with viewing and using sites that use them.

"Setting the level to high may cause some Web sites to work incorrectly," notes the Microsoft advisory.

Millions of users of Internet Explorer, including those working for Fortune 500 companies and the U.S. government, are vulnerable to attack by hackers exploiting the vulnerability, which, depending on the way the exploit software is written, can download a variety of malicious payloads on to the affected computer.

Trojan attacks like those enabled by this latest vulnerability are a major way that home and corporate or government computers are recruited into so-called bot-nets, or robot networks of slave computers that, unbeknownst to their users, are being used to send spam or take part in cyberattacks.

Trojans also can be used to steal logins and passwords, and that was what the small number of exploits seen so far are designed to do.

Internet security intelligence research outfit iDefense said the vulnerability was accidentally disclosed by a Chinese security research firm called Knownsec. The firm disclosed the leak in a Chinese-language Web posting earlier this month. The posting said the researcher responsible wrongly believed the vulnerability had already been patched by Microsoft. Patches are updates to software that are automatically distributed by vendors to all their customers, who can then download and install them to protect their computers from the latest known threats.

Newly discovered security flaws like the one acknowledged Wednesday by Microsoft are called Zero-Day vulnerabilities and are especially prized by hackers, because even a fully patched system can be infected by a malicious software package.

iDefense said after this vulnerability leaked, it was sold for about $15,000 and then used to create a Trojan horse malicious software program designed to steal the logins and passwords of Chinese war-gamers playing in online virtual worlds like World of Warcraft.

"The four versions of the exploit we've seen so far are designed to steal Chinese gamer credentials," said Richard Howard, iDefense director of intelligence, "but the exploit is so juicy, we expect to see it spread fast."

He said the workarounds advised by Microsoft were effective against the versions seen so far, but there are ways of exploiting the new vulnerability that would not be prevented by blocking scripts.

"This is going to be a lasting threat until Microsoft gets it patched," he said. "Home users could switch to alternate browsers and be safe," he said. But corporate or government users would "have a harder time with that," at least "in the short term."

Non-Microsoft Web browsers like Firefox, Opera or Safari are considered to be more secure by some experts, if only because so much more malicious software is written to exploit Internet Explorer, which dominates the browser market.

Microsoft spokesman Christopher Budd said in a statement that, if necessary, the company would issue a special "out of cycle" patch for the vulnerability, "depending on customer needs." Generally Microsoft issues updates to all its software on the second Tuesday of every month, but periodically the company issues special patches, usually to deal with a newly discovered flaw like this one.

Trending Stories