Microsoft Patches IE, But Security Issues Remain Browser Security: The Bad Guys Remain One Step Ahead Richard Adhikari
Microsoft today released a patch for the latest Internet Explorer (IE) browser vulnerability that has been in the news since last week.
However, malware authors have already begun pushing out customized variants of the flaw that the Microsoft patch may not address.
The vulnerability, rooted in IE's XML parser, lets attackers execute code on their victims' PCs.
By Saturday, at least 6,000 Web sites had been infected and the number is growing, though ascertaining the exact number is difficult. However, security experts say things will get much worse, even if users follow Microsoft's advice to install the patch immediately.
Currently, attacks have only targeted Internet Explorer 7, Christopher Budd, security response communications lead at Microsoft, said in a statement. They have not been successful against systems where the patch has been applied, according to Budd.
Microsoft is hosting two Webcasts to address customer questions about the security bulletin. The first was set for 1 p.m. PDT today and 11 a.m. PDT tomorrow in the U.S. and Canada. The Webcast will be available on demand after that.
According to researcher Rahul Mohandas on the McAfee Avert Labs blog, malware authors have already begun issuing customized version of the IE exploit with various degrees of stealth.
Come Read This
One of the most prominent techniques is where the attacker sends victims a Microsoft Word document by e-mail that contains an embedded ActiveX control triggered when the document is opened. This exploit was listed as one of the SysAdmin, Audit, Network, Security (SANS) Institute's top 20 security risks in 2007.
Victims of the latest exploit are hit by drive-by injection attacks, where they go to a compromised Web site that automatically downloads malicious code onto their Web site.
Malware authors have come up with a new twist on this, Dave Marcus, security research and communications director at McAfee Labs, told
InternetNews.com. They plant an IFrame onto a legitimate site and the IFrame redirects unsuspecting visitors to the site hosting the malicious code.
An IFrame is an HTML element that lets users embed an HTML document inside another HTML document. The CBS TV network site was hit by
an IFrame attack on November 11 that saw visitors redirected to a server in Russia, according to security company Finjan's MCRC blog on November 27.
"We've seen an awful lot of sites that have been compromised with the IFrame on them," Marcus said. "It's a very Web 2.0 way of spreading malware."
Attacks on the browser are expected to increase, with the browser increasingly being considered an application platform, security experts say. Mozilla's Firefox, for example, was ranked as the most vulnerable application by whitelisting vendor Bit9, although Mozilla has since issued a set of ten patches to its Firefox browser.
Experts disagree on how to prevent attacks on browsers in the future.
Microsoft should strip down IE to only the features users need, Wolfgang Kandek, chief technology officer at Qualys, told InternetNews.com. "Why does that browser, which is tightly integrated into Windows, have a very powerful library when users only need a subset of those functionalities?" he asked. "When a library offers way too many features, that opens the door for exploits."
It's all about Web 2.0
But McAfee's Marcus said stripping down IE is not the answer. "Users expect rich dynamic content in this day and age — streaming audio and video — and the browser simply reflects what they're looking for," he said. "You can't stop car theft or bank robberies, you manage the risk and you have to manage the risk of browser attacks in the same way, with layers of defense, knowing
exactly what the risks of your assets are and defending them properly."
Marcus said it is difficult to pin down the exact number of infected sites because malware authors are using IFrame attacks.
The situation will only get worse over the next few weeks, Derek Manky, Fortinet's project manager, cyber security and threat research, told InternetNews.com.
"In October Microsoft issued an out of band patch for a vulnerability in the server service that was very high profile, but that flaw is still being exploited," he explained. For two to three weeks after that patch was issued malware activity was low, and now the activity has increased, Manky said.
"I expect to see the same with this IE exploit," Manky said. "In other words, the worst is yet to come."
