Hackers exploit unpatched IE bug with drive-by attacks

Microsoft confirms hackers targeting IE6; IE7 also at risk

Microsoft today warned that attackers are targeting Internet Explorer (IE) with an exploit of a critical unpatched vulnerability in all current versions of the browser.

Only IE9, which is still in beta, is unaffected.

Microsoft and others confirmed that attacks are circulating in the wild, primarily targeting IE6, the nine-year-old browser that Microsoft's been trying to kill for more than a year.

"So far, the attacks we have seen only target Internet Explorer 6 and would not have been successful against Internet Explorer 8," said Andrew Roths, Jonathan Ness and Chengyun Chu, three engineers who work on the Microsoft Security Response Center team.

Microsoft downplayed the threat, saying it has seen only "extremely limited" attacks thus far.

The exploit relies on a heap spray to take down IE, said Roths, Ness and Chu. Hackers can hijack Windows PCs by getting users to visit a malicious site, making the threat a classic "drive-by" attack that can instantly commandeer a machine with a vulnerable version of IE.

Although the newer IE8 contains the vulnerability, it's immune to the current round of attacks because it switches on DEP, or data execution prevention, by default. DEP is one of two key defensive measures within Windows -- the other is ASLR, or address space layout randomization -- designed to block attacks, or at least make the hacker work harder.

Antivirus vendor Symantec said that it had first seen exploits aimed at the IE bug several days ago when it came across spam that had been sent to select individuals within some organizations. The messages posed as hotel reservation notifications.

"Within the e-mail, the perpetrators added a link to a specific page hosted on an otherwise legitimate site," said Symantec researcher Vikram Thakur in an entry on his company's blog . "The hackers had gotten access to the Web site account and uploaded content without the owners knowing."

Anyone visiting the hacked site with IE6 or IE7 -- the former doesn't support DEP, while the latter doesn't enable it by default -- is infected with malware that opens a "backdoor" on the compromised computer, then downloads a number of files containing additional commands

Symantec said it reported the bug to Microsoft and reached out to the owners of the server hosting the attack page and malware. That server has since been taken offline.

"The files on this server had been accessed by people in lots of organizations in multiple industries across the globe," said Thakur. "[But] very few of them were seen accessing the payload file, which means that most users were using a browser which wasn't vulnerable or targeted."

Microsoft did not say when it would patch the bug, and urged users to protect themselves by upgrading to IE9's beta or implementing one of several workarounds. Among the latter: Turn on DEP in IE7; apply a custom cascading style sheet (CSS) for formatting documents loaded in IE; and deploy and configure EMET (Enhanced Mitigation Experience Toolkit), a free utility available for download from Microsoft's site .

EMET is a stop-gap designed to keep older applications secure until companies upgrade to up-to-date, and theoretically safer, versions of those programs. The tool lets IT administrators, and consumers willing to take the plunge, switch on several Windows defenses -- including ASLR and DEP -- for applications whose developers didn't turn them on by default.

Microsoft also said that it's unlikely that the exploit could be bundled with another to sidestep DEP. "The current techniques for bypassing DEP cannot be directly applied because the memory corruption is a partial vtable pointer overwrite," said Roths, Ness and Chu.

Attacks able to work around DEP have become more popular of late. Last March, Dutch researcher Peter Vreugdenhil exploited a vulnerability in IE8 running on Windows 7 with attack code that evaded both DEP and ASLR to win $10,000 at the fourth-annual Pwn2Own contest. Several months later, Ruben Santamarta, a researcher at the Spanish security firm Wintercore, published attack code for a critical vulnerability in IE8 that he said bypassed DEP and ASLR.

The next regularly-scheduled Patch Tuesday for Microsoft is Nov. 9, but if past practice is any clue, it's very unlikely a fix will be available by then. A better bet would be Dec. 14, which will probably contain a cumulative update for IE because Microsoft has taken to patching its browser on even-numbered months.

So far, the bug doesn't meet the bar for issuing an emergency, or "out-of-band" update, Microsoft spokesman Jerry Bryant said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsMicrosoftsecuritybrowserssoftwareMalware and Vulnerabilities

More about Andrew Corporation (Australia)MicrosoftSymantecToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place