Exploit(s) Released for Unpatched IE Flaw
Security experts are warning that at least one set of instructions showing bad guys how to exploit an unpatched security hole in Microsoft's Internet Explorer Web browser have been posted online, and that malicious Web sites are likely to begin using the blueprints to install spyware and other unwanted junk on visitors' Windows computers.
Microsoft acknowledged the previously undisclosed flaw in a blog posting earlier this week, in which it urged users to practice "safe browsing practices" -- such as only visiting trusted Web sites. I'd like to offer my two cents, which is that Security Fix readers who use Windows consider downloading and using a different browser, like Firefox, Netscape or Opera.
That advice is not to suggest that these browsers are free from security flaws. It's just that you're not anywhere near as likely to see attackers exploiting them to install software you don't want on your PC.
If you don't believe me, read the story I wrote last week about the scourge of keyloggers still being foisted upon IE users who haven't yet applied a patch that Microsoft made available in January. For nearly two weeks prior to that patch release, thousands of Web sites were either using the flaw on their own to install spyware, or were being hacked and seeded with exploit code to unwittingly infect visitors who came to the sites with vulnerable versions of IE.
In considering whether to use IE for regular Web browsing, I think it's important to keep in mind that exploits like these tend to be discovered by individuals in the hacker underground and used for a spell -- if not sold -- before they become public for profit-making ventures, such as the installation of adware and password-stealing programs like keystroke loggers.
Last night, I contacted Stelian Ene, the guy that vulnerability watcher Secunia credits in its "highly critical" advisory on this flaw. Ene said while he's excited by all the attention he's gotten so far, he did not discover the flaw himself. Rather, he found the bug while poking around in the underbelly of the online world and posted about it on Full Disclosure, a security discussion forum.
"I have not contacted [Microsoft] because I was convinced it was a known bug. As it turns out, it's very hot," Ene wrote in his e-mailed reply. Very hot, indeed: The SANS Internet Storm Center, which tracks hacking trends, just went switched its InfoCon threat condition from green to yellow over the new exploit. The last time SANS went to this heightened alert level was in the days before Microsoft released that January IE patch, when another IE flaw was being leveraged to attack Windows users.
Posted by: saum | March 23, 2006 4:49 PM | Report abuse
Posted by: 10100011 | March 23, 2006 4:59 PM | Report abuse
Posted by: saum | March 23, 2006 5:17 PM | Report abuse
Posted by: Steve | March 24, 2006 1:22 AM | Report abuse
Posted by: Rijk | March 24, 2006 5:18 AM | Report abuse
Posted by: Mike | March 24, 2006 10:48 AM | Report abuse
Posted by: anon | March 24, 2006 11:24 AM | Report abuse
Posted by: Michael | March 24, 2006 1:10 PM | Report abuse
Posted by: Rob | March 24, 2006 3:46 PM | Report abuse
Posted by: Anonymous | March 24, 2006 4:18 PM | Report abuse
Posted by: JoJo | March 24, 2006 6:22 PM | Report abuse
Posted by: Mark Odell | March 24, 2006 7:34 PM | Report abuse
Posted by: Thoughly Disappointed | March 29, 2006 9:29 AM | Report abuse
Posted by: art | April 20, 2006 9:47 PM | Report abuse
Posted by: pwqlh wczeiaur | August 6, 2006 1:18 AM | Report abuse
Posted by: rpscqhjyz fidumnw | August 6, 2006 1:19 AM | Report abuse
The comments to this entry are closed.