Unofficial Patch Released for IE Flaw
A team of security gurus today released an unofficial security fix for a serious flaw in Microsoft's default Web browser and e-mail software. The action comes as computer security organizations in the United States and elsewhere are issue alarms that the Internet Explorer flaw is currently being exploited by online criminals to install spyware on vulnerable computers.
Microsoft said it expects to ship an update to fix the problem on Oct. 10. In the meantime, the company is recommending a workaround to disable the IE flaw until a patch is ready.
"We just felt that the risk posed by some exploits that are coming out are too great to just sit around and wait for Microsoft to issue a patch," said Joe Stewart, a senior security researcher at Atlanta-based SecureWorks and a ZERT co-founder.
ZERT members say they have tested the patch fairly thoroughly, but they include this caveat:
"Please keep in mind while the group performs extensive testing of any patches before releasing them, it is impossible for us to test our patches with each possible system configuration and in each usage scenario. We validate patches to the best of our ability, noting the environments in which the tests were performed and the test results."
Several security organizations have issued warnings that criminals have programmed an increasing number of Web sites to exploit the IE flaw and install malicious software on any vulnerable computer that visits one of the sites.
The SANS Internet Storm Center switched its alert level from green to yellow today, noting that the means for wielding this exploit to install malicious software "is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly."
AusCERT, the Australian Computer Emergency Response Team, said it has seen widespread e-mails urging users to click on links to Web sites that exploit the flaw to install malicious software.
Some malicious sites appear to be using the exploit to silently install spyware and adware, while others are seeding visitors' Windows machines with hard-to-remove keystroke loggers or "form grabbers" designed to steal username, password and financial data when users enter data at bank or e-commerce Web sites.
Thursday evening, attackers wielding this latest IE exploit hacked into the servers for Host Gator, a Web hosting company based in Boca Raton, Fla. Jason Muni, Host Gator's general manager, said attackers reconfigured an unknown number of Web sites hosted on the company's servers to redirect visitors to a third-party Web site that tried to load the IE exploit. Muni said the company had to reconfigure all of its 200 hosting servers to clean up the mess, fixes that caused extended outages for most of the company's 40,000 customers.
Ken Dunham, director of iDefense Rapid Response Team at VeriSign, said his company saw about 500 of the Host Gator's customer sites redirecting to the exploit site.
Meanwhile, Websense Security Labs issued a report listing dozens of sites already using the flaw to install malicious programs. Dan Hubbard, Websense's vice president of security research, said the exploit is also being folded into Webattacker, a software tool circulating in the online criminal world that can be used to set up fake Web sites for the purpose of ID theft and fraud.
Hubbard said about 10,000 Web sites use the Webattacker tool, which is sold for less than $20 at several online sites (and even includes tech support for buyers). Many of those sites that currently use Webattacker are beginning to upgrade to the latest version, meaning that very soon the Internet will likely be littered with sites that try to exploit the IE flaw.
Webattacker clients are often in the spam and spyware business, making them well versed in using fake blogs, spam and other methods to pump up the search engine listings for their sites. Hubbard said he expects those individuals will be doing the same for the sites they've created to exploit this particular IE flaw.
Experts contacted by Security Fix said Microsoft's suggested workaround appears sufficient to prevent the exploit from working. To disable the flawed component in Windows, do the following:
1) Open up a command prompt: Click "Start," then "Run," and a text box should pop up.
2) Cut and paste the following text into that box: regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
3) Then hit enter or click "Ok." You should then receive a pop-up window stating that the vulnerable component has been unregistered.
When Microsoft releases a patch for this problem, it should re-enable the vulnerable component. But if it does not or you would like to turn it back on for any reason, simply follow step 1 above and then paste the following into the box that pops up:
regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
My guess is that Microsoft will indeed release a patch before Oct. 10, the company's next scheduled patch release date. I have put in calls to them to inquire about that possibility but am still awaiting a reply. In the meantime, please be extremely careful about following Web links sent to you in e-mail or instant message. IE users should strongly consider using an alternative browser, such as Firefox, Netscape, or Opera.
Update, 3:01 p.m. ET: Microsoft declined an interview today about the upswing in attacks, but in a statement on its security blog Redmond says it not seeing any signs of widespread attacks that leverage the IE flaw. Still, the statement suggests that they are now leaning toward releasing a patch before Oct. 10. From the MSRC blog: "Attacks remain limited. There's been some confusion about that, that somehow attacks are dramatic and widespread. We're just not seeing that from our data, and our Microsoft Security Response Alliance partners aren't seeing that at all either. Of course, that could change at any moment, and regardless of how many people are being attacked, we have been working non-stop on an update to help protect from this vulnerability. We've made some progress in our testing pass for the update and are now evaluating releasing this outside the monthly cycle, as we do any time customers are under threat and we believe we can issue an update that meets our quality bar for widespread deployment. So right now we're looking at where we hit that quality bar and if that occurs prior to the monthly cycle then we will release. That last bit is important because we were made aware this morning of a third party "update" for this issue. We think it's great that there are people out there working to help protect our customers. But as we've always said, we cannot endorse third party updates."
September 22, 2006; 2:15 PM ET
Categories: Latest Warnings , New Patches
Save & Share: Previous: Apple Issues Patches for Laptop Wireless Flaws
Next: IM Worms "Epidemic" on MSN Messenger
Posted by: TJ | September 22, 2006 5:02 PM | Report abuse
Posted by: WhitIV | September 23, 2006 1:50 PM | Report abuse
Posted by: WhitIV | September 23, 2006 1:57 PM | Report abuse
Posted by: dbm1rxb | September 23, 2006 2:11 PM | Report abuse
Posted by: Bk | September 23, 2006 5:35 PM | Report abuse
Posted by: TJ | September 23, 2006 10:28 PM | Report abuse
Posted by: Ken L | September 25, 2006 11:52 AM | Report abuse
Posted by: TJ | September 25, 2006 6:45 PM | Report abuse
Posted by: Dodge | September 26, 2006 6:07 PM | Report abuse
Posted by: tekkid | September 27, 2006 10:56 AM | Report abuse
Posted by: the help center | September 27, 2006 11:00 AM | Report abuse
Posted by: Vasiljev Alexander | September 27, 2006 12:07 PM | Report abuse
Posted by: Dylan | September 28, 2006 7:34 PM | Report abuse
The comments to this entry are closed.