, SecurityFocus 2006-03-28
UPDATE: Hundreds of malicious Web sites are attempting to exploit the most critical of two flaws announced last week in Microsoft's browser, convincing two companies to release workarounds late Monday to head off the threat.
Security firms Determina and eEye Digital Security each created a standalone patch to protect Windows systems that use Internet Explorer to browse the Web. The vulnerability, the most critical of three announced in the last week, is reportedly being actively exploited by more than 200 malicious Web sites.
"Obviously these things (fixes) are experimental in nature but considering the options of being vulnerable or at least having a fighting chance--well, I think you get the point," Marc Maiffret, chief hacking officer for eEye said in a statement announcing that company's fix. "Again, this is just another mitigation option until Microsoft releases their patch, which last was scheduled for April 11th, or 16 days from now."
The third-party patches are the latest fixes to be released by companies other than Microsoft, when the software giant's response is perceived to leave customers at risk. In January, an independent software programmer released a patch for a critical flaw in the Windows Meta File (WMF) format that also affected users of Internet Explorer. The companies, and the researcher that released the WMF patch, do not refer to the fixes as permanent solutions but temporary workarounds.
Microsoft did not recommend that Windows users install the patches, said Stephen Toulouse, security program manager for Microsoft.
"While the IE team is working on an update to address the problem, we certainly recommend a defense- in-depth strategy that involves third party tools such as antivirus or IDS/IPS (intrusions detection/prevention system) solutions," Toulouse said in a blog posting. "However we cannot recommend third party solutions that modify the way the product itself operates."
Last week, Microsoft confirmed reports of the latest vulnerability in Internet Explorer. The flaw occurs in the way that the software giant's browser handles certain HTML objects with Internet Explorer's CreateTextRange function. The flaw affects Internet Explorer 6.0 and 5.01.
"So far were still seeing only limited attacks," Toulouse said in a second post on the Microsoft Security Response Center (MSRC) blog. "But our anti-malware team, as always, is on the case and has uploaded removal information for the attacks to date to Windows Live Safety Center."
Another flaw disclosed last week affects Internet Explorer's processing of HTML applications, also known as HTAs. While the researcher that found the flaw created proof-of-concept code to exploit the issue, no publicly available code is known to exist. Earlier in March, a third researcher found a way to use Internet Explorer's Java applet functions to cause a denial-of-service attack.
The most critical vulnerability of the three is the CreateTextRange issue, said Dan Hubbard, senior director of research for security firm Websense. The company, which scans 80 million Web addresses every 24 hours in search of exploits, found 200 URLs that attempted to exploit the CreateTextRange issue. The Web pages reside on compromised servers and have likely been created by a single person or a small group, he said.
"The code semantics for the Web sites are almost completely the same," Hubbard said. "There are a few variants which change the location from where they are downloading the payload. Basically, there are three different versions of the exact same thing."
The pages use the flaw to install a download Trojan horse program that fetches another piece of software to scan a victim's machine and grab sensitive data. The programs also log keystrokes, Hubbard said.