Hackers Still Exploiting 'Patched' Microsoft Browser

The problem stems from August 20 when Microsoft released patches for Internet Explorer 5.01, 5.5, 6.0, and version 6.0 for Windows Server 2003 that it said would fix an Object Type vulnerability, which could allow an attacker to run malicious code on a PC if the user navigated to the attacker's Web site. The original patch can be downloaded using Microsoft's WindowUpdate Service, or from the Microsoft TechNet Web site.

But the patch doesn't seem to be patching.

"Whether you are patched or not, attackers can execute code on your computer at will when you visit a hostile website when using vulnerable versions of Internet Explorer," said Ken Dunham, the malicious code intelligence manager for Reston, Va.-based iDefense.

A Microsoft Web page detailing the original Internet Explorer vulnerability it said that teams were investigating reports of new variations on the original flaw. As of publication time, Microsoft had not returned a call asking for comment.

However, according to sources outside of Microsoft, attackers are exploiting this vulnerability in a number of ways. Postings on the Bugtraq security e-mail list tell of one method where the attacker hijacks running AOL Instant Messenger (AIM) accounts, changes the password, and sends a message to the user's buddy list with a link to the malicious Web page.

Other attacks that exploit the undiscovered flaws in Internet Explorer, include one that entices users to porn Web sites, where code is downloaded that dials 900 numbers, racking up hundreds in charges without the user's knowledge. Another uses pop-up adds to drive users to pay-per-click Web sites, said Drew Copley, a research engineer at Aliso Viejo, Calif.-based eEye Digital Security, who discovered the original security vulnerability.

"In one sense, these are new bugs in IE," said Copley, "but in another sense they're not. Microsoft had more than three months to fix these, but they didn't." Copley said he originally notified Microsoft of the flaws in IE in mid-May.

"This is pretty scary stuff," said Dunham. "Any type of code could be deployed in this type of attack."

What's new here, said Dunham, is the vector used by attackers to plant their code on machines. While Trojan horse authors have used other methods to infect computers--worms that arrive in e-mail attachments, for instance, and attackers' ongoing exploits of the Microsoft Windows' RPC DCOM vulnerabilities--this route is more insidious.

"It used to be true that you couldn't get infected just by surfing the Internet," said Dunham. "But we're not talking about opening an attachment here. It doesn't matter if you've patched Internet Explorer. All you have to do is surf to one of these malicious sites, and boom, you're infected."

Saying that attackers have a "leg up on us at the moment," Dunham said that this zero-day vulnerability--so-called because the exploit is available, but a patch is not--poses a threat to anyone who uses relatively recent versions of Internet Explorer.

Users should consider disabling ActiveX controls and plug-ins in Internet Explorer until a revised patch is available, urged Dunham, and/or configure the browser to block ActiveX controls on untrusted sites. Microsoft has outlined workarounds that users can take to block ActiveX controls until a patch is re-released. They can be found in the original vulnerability's security bulletin under the Workarounds section of Frequently Asked Questions.

An alternate strategy would be to switch to another browser, such as Mozilla or Opera, which isn't affected by the vulnerability, said Dunham.

"Internet Explorer is one of the most common software applications targeted," Dunham said in suggesting that companies concerned about security consider switching browsers.

This story courtesy of TechWeb.