Network News

X My Profile
View More Activity

Exploit(s) Released for Unpatched IE Flaw

Security experts are warning that at least one set of instructions showing bad guys how to exploit an unpatched security hole in Microsoft's Internet Explorer Web browser have been posted online, and that malicious Web sites are likely to begin using the blueprints to install spyware and other unwanted junk on visitors' Windows computers.

Microsoft acknowledged the previously undisclosed flaw in a blog posting earlier this week, in which it urged users to practice "safe browsing practices" -- such as only visiting trusted Web sites. I'd like to offer my two cents, which is that Security Fix readers who use Windows consider downloading and using a different browser, like Firefox, Netscape or Opera.

That advice is not to suggest that these browsers are free from security flaws. It's just that you're not anywhere near as likely to see attackers exploiting them to install software you don't want on your PC.

If you don't believe me, read the story I wrote last week about the scourge of keyloggers still being foisted upon IE users who haven't yet applied a patch that Microsoft made available in January. For nearly two weeks prior to that patch release, thousands of Web sites were either using the flaw on their own to install spyware, or were being hacked and seeded with exploit code to unwittingly infect visitors who came to the sites with vulnerable versions of IE.

In considering whether to use IE for regular Web browsing, I think it's important to keep in mind that exploits like these tend to be discovered by individuals in the hacker underground and used for a spell -- if not sold -- before they become public for profit-making ventures, such as the installation of adware and password-stealing programs like keystroke loggers.

Last night, I contacted Stelian Ene, the guy that vulnerability watcher Secunia credits in its "highly critical" advisory on this flaw. Ene said while he's excited by all the attention he's gotten so far, he did not discover the flaw himself. Rather, he found the bug while poking around in the underbelly of the online world and posted about it on Full Disclosure, a security discussion forum.

"I have not contacted [Microsoft] because I was convinced it was a known bug. As it turns out, it's very hot," Ene wrote in his e-mailed reply. Very hot, indeed: The SANS Internet Storm Center, which tracks hacking trends, just went switched its InfoCon threat condition from green to yellow over the new exploit. The last time SANS went to this heightened alert level was in the days before Microsoft released that January IE patch, when another IE flaw was being leveraged to attack Windows users.

By Brian Krebs  |  March 23, 2006; 3:28 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Not-So-Supportive Tech Support
Next: When Macs Attack


Brian: I am a big fan of your column... it helps a non-techie guy like me keep my computer and internet transactions as secure as possible. Thanks a ton for the valuable info you provide!

A dumb question: If I don't use IE (use Firefox) for my daily browsing, then am I still vulnerable to the unpatched flaw? I usually do a good job of updating IE/Office/Windows (any Microsoft) flaws regularly, but keep wondering if I don't use the software, can a hacker (or whoever is trying to cause harm) still take advantage of the flaw and harm my pc? I do have anti-virus, anti-spyware, anti-everything!! installed.

Posted by: saum | March 23, 2006 4:49 PM | Report abuse

If you are using Firefox as your browser, then you will not be vulnerable to the attacks mentioned in this column. As Brian points out, there are security holes in firefox, opera, etc. But since most of the market is using IE, malicious coders tend to target IE and not other browsers.
But for your purposes, you are safe

Posted by: 10100011 | March 23, 2006 4:59 PM | Report abuse

10100011 - Thanks for the info.

Posted by: saum | March 23, 2006 5:17 PM | Report abuse

Microsoft advice of "... users to practice "safe browsing practices" -- such as only visiting trusted Web sites" seems more like a PR attempt to shift the responsibility and blame to the user. How can anyone be certain about any website? One often has to visit it first to even form an opinion. Could any honest and intelligent individual think this is reasonable advice.

Posted by: Steve | March 24, 2006 1:22 AM | Report abuse

Of course it's honorable advice. You can never be certain about a website, especially considering that honorable websites might get hacked.

But everyone can apply some common sense, and so improve their odds of staying clean immensely. Visiting the shady corners of the web (porn, warez, gambling) with MSIE is plain stupid.

Posted by: Rijk | March 24, 2006 5:18 AM | Report abuse

I think people should go to IE7 Beta2. It is better than Firefox which I have used for for over 1 year.

Also this bug does not affect IE7 Beta2.

Posted by: Mike | March 24, 2006 10:48 AM | Report abuse

yeah, Mike: trading a deeply flawed browser for a beta version of the same seems like a good idea, thanks.

Posted by: anon | March 24, 2006 11:24 AM | Report abuse

Brian, you mention that Security Fix readers should use alternate browsers and then list Netscape. But the new version of Netscape uses both the Firefox and IE rendering engines. I would assume that it comes with Firefox as the default rendering engine, but if not, "normal" users of Netscape might be using the IE rendering engine, which I assume also makes them vulnerable to security flaws in IE.

Posted by: Michael | March 24, 2006 1:10 PM | Report abuse


You recommend that people use alternate browsers, but at some points hackers will find flaws in those browsers as well. So not a good long term solution.

I use a nifty little product called SpyWall that blocks the exploits. It also protects me against phishing attacks and allows me to monitor the web browsing habits of my son.


Posted by: Rob | March 24, 2006 3:46 PM | Report abuse

I wouldn't advise using Netscape 8, as it also uses Internet Explorer's rendering engine (sometimes). To be sure you're safe, use Firefox or Opera.

Posted by: Anonymous | March 24, 2006 4:18 PM | Report abuse

I use Lynx to browse, boo yah

Posted by: JoJo | March 24, 2006 6:22 PM | Report abuse

Key words to note from the US-CERT advisory:

>>Known attack vectors for this vulnerability require Active Scripting to be enabled.

Bingo. It's a new exploit, but the same old vector.

IMHO there is no consequence of disabling active scripting in the Internet zone that is worse than the consequence of leaving it enabled by default.

Posted by: Mark Odell | March 24, 2006 7:34 PM | Report abuse

Thanks for the helpful article. It is unfortunate that the only comments so far have come from a bunch of morons and idiots.

Posted by: Thoughly Disappointed | March 29, 2006 9:29 AM | Report abuse

Very good site, congratulations! horse art

Posted by: art | April 20, 2006 9:47 PM | Report abuse

qcpxtlfy oiaf qnyduge vkygfm rfpbux xbfcsomen fmtdse

Posted by: pwqlh wczeiaur | August 6, 2006 1:18 AM | Report abuse

qhmxrfzn azfmq mdjbzq karoh nqwymxegd axfsrpqov bgkomiswd

Posted by: rpscqhjyz fidumnw | August 6, 2006 1:19 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company