Microsoft Preps IE Flaw Fix; Sites Exploiting Bug Multiply
As of Monday, security firm Websense Inc. said the number of unique Web sites taking advantage of the vulnerability had remained at about 200 since Sunday, given that the number of sites taken down have been replaced with a roughly equal number of new sites. The overall number, however, were expected to grow over time.
An entry on the Microsoft Security Response Center blog said the company was seeing "only limited attacks." Nevertheless, Microsoft was working on a fix that would be ready at least by April 11, the next regularly scheduled patch day, if not sooner.
"The IE team has the update in process right now and if warranted we'll release that as soon as it's ready to protect customers," the posting said.
The vulnerability enables hackers to exploit active scripting in IE to install keystroke loggers and other malicious software. Active scripting is a Microsoft technology that allows different software components to interact over the Internet.
Dan Hubbard, senior director of security at Websense said he believed a "limited number" of people or groups were exploiting the flaw, since malicious code on the sites was similar. Others, however, were expected to follow.
"We do believe that additional attacks will occur with different payloads," Hubbard said in an email.
The flaw, which is in IE 5.01, 6.0, and the January version of IE 7 Beta 2 Preview, was serious enough to prompt security vendor Symantec Corp. to raise its "Internet Threat Meter" for Web activities to "medium risk."
Microsoft recommended that customers who believe their machines may have been infected should visit the company's Windows Live Safety Center to have their machines scanned and the malware removed.
Security experts, however, recommended that people visit sites they know are safe, or use another browser, such as Firefox from the Mozilla Corp.
The unpatched vulnerability was first disclosed last Wednesday, raising alarms from security companies even before the first Web site exploiting the flaw was found. The SANS Institute's Internet Storm Center, for example, lifted its InfoCON level to "yellow" for the first time since late December when another zero-day flaw hit Windows users.
The Windows Metafile bug spawned hundreds of sites that used the flaw to load spyware, including keystroke loggers and backdoor Trojans, onto users' PCs.
In the latest CreateTextRange bug, security experts believe hackers would most likely use spam to lure people to sites capable of installing malware.