Brian Krebs on Computer Security
Attacks on Unpatched IE Flaw
Escalate
More than 200 Web sites -- many of them belonging
to legitimate businesses -- have been hacked and seeded with code that
tries to take advantage of a unpatched security hole in Microsoft's Internet
Explorer Web browser to install hostile code on Windows computers when
users merely visit the sites.
In an update to its Security Response Web log,
Microsoft security program manager Stephen Toulouse said the attacks Redmond
is seeing against the IE flaw "are limited in scope for now and are being
carried out by malicious Web sites."
I have to call Microsoft out on both counts,
and I think some of what I've uncovered so far about these attacks should
make it clear that the situation is serious and getting worse by the hour.
According to a list obtained by Security Fix,
hackers have infected at least 200 sites, many of which you would not normally
expect to associate with such attacks (i.e., porn and pirated-software
vendors). Among the victims are a regional business council in Connecticut,
a couple of vacation resorts in Florida, a travel-reservation site, an
online business consultancy, an insurance company, and a site featuring
things to do at various cities across the country.
On Friday, hackers broke into the Web site
of shipping company DLPromotionFreight.com and planted code that attempted
to use the flaw to steal user names and passwords stored by IE. Yaniv Zahavi,
chief technology officer for Intermakers Inc., the Plantation, Fla., company
that manages the site, said it appears that only a handful of customers
browsed the site during the few hours the attack code was present.
Security Fix learned the location of one Web
site being used as a virtual drop box for user name and password data stolen
from people who'd visited the network of hacked sites (the SANS Internet
Storm Center has a great post detailing exactly what one of these data-dump
reports looks like). One of those victims was Abdel Marriez, a truck driver
from Astoria, N.Y. The malicious program stole credit card information
and credentials he used to access his e-mail online.
Marriez said he couldn't understand how the
code could have landed on his computer, since he said he is fastidious
about ensuring his Norton anti-virus program has the latest updates from
Symantec. After this experience, he said, he plans to change browsers.
"IE and me are through, that's it," Marriez
said.
That same password-stealing program landed
on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle
Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not
sure which site he browsed in the past 24 hours that hijacked his browser,
but he confirmed that the attackers had logged the user name and password
for his company's virtual private network (VPN). Chowdhury also uses Norton
anti-virus, which did not pick up any signs of infection. He said he won't
rely on his anti-virus program to clean things up.
"It's really not worth the risk," Chowdhury
said. "I'm going to reinstall [the operating system] just to be sure."
Both of these situations illustrate the dangers
of relying on only anti-virus software. That is not to say anti-virus software
is useless. It is a necessary element of protection for any Windows PC,
and for better or worse will remain so for the foreseeable future. But
there is a window of time between the creation of a new virus or worm and
the availability of new anti-virus "definitions" that identify the intruder
as malicious.
Microsoft says Windows users should "take care
not to visit unfamiliar or untrusted Web sites that could potentially host
the malicious code" and that people who want to use IE should either disable
"active scripting" or download the IE7 beta2 preview.
Instructions for disabling active scripting
are under the "workarounds" section of this Microsoft advisory (which incidentally
is three clicks away from Microsoft.com homepage). Microsoft warns, however,
that this may cause problems loading some Web sites.
Indeed, I tested this solution as Microsoft
recommends and found I could no longer access my Web mail. Turns out I
also needed to add it to my list of "trusted sites," though Microsoft's
advisory doesn't really make that clear. See this non-Microsoft site for
a decent tutorial on how to set up your trusted-sites list.
Rather than download a "beta" (read: potentially
unstable) version of IE or wait around for Microsoft to issue a fix, a
far better idea would be to ditch IE altogether (or only use it only when
absolutely necessary). I use Mozilla's Firefox for everyday browsing, but
your mileage may vary. There are other options, of course, such as Opera
and Netscape, to name a couple.
What amazes me is how many Windows users seem
to blindly equate Internet Explorer with access to the Internet -- in much
the same way that many America Online users are unsure whether they can
use someone else's browser once they've signed on to their account. Even
after you tell people that they may have just been whacked with a virus
due to a flaw in IE, they still use it.
Case in point: One guy I contacted to tell
him his site was serving up this exploit code went to check his home page
and then told me his browser just crashed on him. I had to ask: "Don't
tell me you just visited the site in IE?" He had. I could only shake my
head and sigh.
| Security company Secure Elements
rated the severity of the vulnerability at its highest level, 10, because
it can be remotely exploited and an exploit has been released. |
|