Hackers move fast to exploit just-patched IE bug

Three days after Microsoft fixed flaw, Symantec spots active attacks

Just three days after Microsoft patched 11 bugs in Internet Explorer (IE), hackers are exploiting one of those vulnerabilities, a security company said Friday.

Microsoft fixed the flaw Tuesday in an 11-patch update for IE. That update was part of a larger Patch Tuesday roll-out that quashed 34 bugs in 16 separate security bulletins.

Most security experts had put the IE update at the top of their priority lists, and urged Windows users to deploy it as soon as possible.

Today, Symantec reported that CVE 2011-1255 -- its assigned ID in the Common Vulnerabilities and Exposures database -- is already being abused.

"So far, we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present," said Joji Hamada, a senior researcher with Symantec's security response team, in a post to a company blog .

Hamada said that Symantec had found an exploit on an apparently-compromised site that automatically downloads an encrypted malicious file to the PC of any user browsing with an unpatched copy of IE8.

The malware shows some bot traits, Hamada added. Once planted on a machine, it contacts a remote server and listens for commands from its hacker overlords.

Although the CVE 2011-1255 vulnerability affects IE6 and IE7 as well as IE8, Symantec has only seen working exploits that target the latter.

IE9, the browser that Microsoft launched in mid-March, is not affected by the vulnerability, although it was also patched Tuesday to address four different bugs.

In the accompanying advisory , Microsoft pegged the flaw as "critical," its most-serious threat level, for IE7 and IE8 on all Windows machines, and for IE6 running on Windows XP. For IE6 on Windows Server 2003 Microsoft rated the bug as "moderate."

Microsoft also assigned a "1" to the vulnerability in its exploitability index, meaning the company expected a reliable exploit to appear within 30 days. The attackers beat that by a significant margin, putting their exploit into play within three days.

Microsoft was made aware of the flaw in late January by VeriSign's iDefense Labs, which had bought the bug from an anonymous researcher through its bounty program.

iDefense's own advisory categorized the vulnerability as a "use-after-free" bug, a type of memory management flaw that can be exploited to inject attack code.

Users unable to apply Tuesday's IE update can stymie the attacks Symantec has spotted by disabling JavaScript.

To turn off JavaScript, users should select the "Tools" menu in IE, then click "Internet Options," the "Security" tab and the "Internet" content zone. Next, click "Custom Level" and in the "Settings" box, click "Disable" under "Active scripting." Click "OK" in the current dialog box.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecMicrosoftsecurityWindowssoftwareoperating systems

More about AppleiDefenseMicrosoftSymantecTopicVeriSign Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts