IE Exploit Could Soon Be Used By 10,000-Plus Sites
First reported by Florida-based Sunbelt Software Tuesday, the bug has already been used to compromise PCs and load them with scores of adware and spyware programs, as well as other malicious code. Users surfing with IE 6 and earlier can be infected simply by viewing the wrong site.
The in-the-wild exploit is definitely being served up by WebAttacker, a multi-exploit "kit" created and sold by a Russian group for as little as $20, said Dan Hubbard, head of research at security company Websense. Tuesday's analysis by Hubbard and others, including Eric Sites of Sunbelt, fingered WebAttacker but couldn't prove it.
"We've seen a new version of WebAttacker on some sites, along with older versions," said Hubbard, "so we know that they've updated their kit."
WebAttacker is a modular hacker toolkit that uses a simple Web interface to let attackers choose from numerous exploits -- the VML exploit only the most recent -- to "serve" any visitor of a malicious site. The kit even identifies the operating system, say Windows XP SP2; browser used; and presence of anti-virus software, then chooses the best exploit to run, Symantec said in an entry on its security team's blog Wednesday.
WebAttacker, added Symantec's Amado Hidalgo, even generates statistics on successful exploits by host, OS, and browser; it also calculates an "exploit efficiency" ratio, said Hidalgo.
"One thing we haven't found yet," said Websense's Hubbard, " is a stat page that will tell us how many systems have been compromised."
In April, Websense discovered a WebAttacker stats page that showed just one malicious site had compromised more than 3,000 computers using just two of the kit's seven exploits.
"There are close to 10,000 sites either hosting WebAttacker or pointing to sites that do," Hubbard estimated. Although only about 20 sites are currently serving up the exploit, if more WebAttacker users decide to download the newest version, Hubbard expects that the numbers of malicious sites will quickly climb. Gunter Ollmann, the director of Internet Security Systems' X-force research lab, said that there were signs of that already. "We've seen a three-times increase in the number of sites using the exploit over yesterday," Ollmann said.
Attackers are already into the second-generation of the exploit, Ollmann added, having tweaked it to deliver a wider range of malware. More disturbing, proof-of-concept code has been posted on at least one hacker site that dispenses with the original exploit's use of JavaScript. By doing away with any script, an exploit can get around protections built into e-mail clients and the temporary defenses such as turning off IE's Active scripting.
Ollmann went on to say that an exploit carried by an HTML-based e-mail message is probably just around the corner. "Oh, I think we'll see an e-mail vector."
The next 24 to 48 hours should show how dangerous this all is to IE users, Ollmann said, which puts a much large outbreak before the weekend.
Hubbard, however, thought it might take until after the weekend for researchers to have a clear idea of the extent of the problem. That, in turn, will affect Microsoft's decision on when to release a fix. "They do impact assessment for their patches," said Hubbard. Microsoft has patched out-of-cycle in the past, but usually only when attacks are not only ongoing, but massive. The last time the Redmond, Wash. developer provided a fix not in its regular monthly schedule was more than 8 months ago, when it patched the WMF vulnerability five days before January's normal update.
Hubbard had other depressing news. "This [VML] exploit is even easier [to build] than CreateTextRange [a March IE bug exploited by scores of sites]. And we believe that proof-of-concept code that will do an unprivileged launch of an executable is imminent.
"I'd rate the threat as 'high,' even though there are not many sites using it yet," Hubbard concluded. "This could be even bigger than WMF, what with the WebAttacker component."
Check out "How To Defend Against IE's VML Bug" for self-defense tips on protecting your PC until Microsoft releases a patch.