Network News

X My Profile
View More Activity

Microsoft Investigating Reports of New IE7 Exploit

Microsoft said it is investigating reports that a new exploit is going around that takes advantage of an unpatched security hole in Internet Explorer 7.


The SANS Internet Storm Center, which tracks hacking trends, said today that while the exploit does not appear to be widely in use at the moment, that situation is likely to change soon, since instructions showing criminals how to take advantage of this flaw have been posted online.

SANS emphasizes that this vulnerability is not one that was fixed in the massive bundle of patches that Microsoft issued yesterday. It is not clear what steps users can take to protect themselves against this threat, other than to browse the Web with something other than IE, such as Mozilla Firefox or Opera. This appears to be the type of vulnerability that could be used to give attackers complete control over an affected system merely by convincing users to browse to a specially-crafted hacked or malicious Web site.

According to SANS, the exploit works against fully-patched Windows XP and Windows 2003 systems with Internet Explorer 7.

In a statement e-mailed to Security Fix, Microsoft said once it is done with its investigation, the company "will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."

The remainder of Microsoft's statement reads:

"Anyone believed to have been affected can visit: and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at:

Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at:"

Security Fix will continue to keep a close eye on this investigation as it unfolds.

Update, 7:12 p.m. ET: Security volunteer-led group has released details about the dozens of Chinese domains being used to serve up this exploit (I hope it goes without saying: Don't visit any of the domains listed at the Shadowserver writeup).

Reston, Va. based security firm iDefense tonight published further details that suggest this exploit was accidentally released by "knownsec," a Chinese information security team that apparently thought the vulnerability had already been patched by Microsoft. The advisory suggests this exploit has been known and actively used by attackers since October.

From iDefense's advisory (PDF):

"According to knownsec, earlier this year a rumor emerged in the Chinese underground about an IE7 vulnerability and in October it began to be traded privately. In November it got into underground black market and was traded for about $15K. Later in December, it emerged and people sold the exploit second or third hand for about $650. Finally, someone purchased those second hand exploits to develop and deploy a Chinese gaming Trojan."

Perhaps the inadvertent disclosure of this flaw is why Microsoft included in its statement today the following tidbit:

"To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. By reporting vulnerabilities directly to a vendor, it helps ensure that customers receive comprehensive, high-quality updates while reducing the risk of attack."

Update, Dec. 11, 10:04 a.m. ET: Microsoft has officially acknowledged this vulnerability. It issued this security advisory late last night.

Update, Dec. 12, 1:04 a.m. ET: Microsoft has revised its security advisory about this vulnerability, saying it affects all supported versions of Internet Explorer, not just version 7. There are indications that a large number of legitimate, hacked Web sites are being seeded with this exploit code through SQL injection vulnerabilities. I would strongly advise readers to avoid surfing the Web with IE at least until Microsoft has patched this flaw. If Microsoft sticks to its regular schedule of issuing updates to fix security flaws on the second Tuesday of each month, that means that unless Redmond deviates from that schedule, the earliest we can expect a patch for this flaw is Jan. 13, 2009.

By Brian Krebs  |  December 10, 2008; 12:56 PM ET
Categories:  Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Plugs at Least 28 Security Holes
Next: Court Freezes Assets of Alleged 'Scareware' Purveyors


You can run FireFox from a memory stick. Now if I could just get a memory stick through security at work I'd be set.

Posted by: gannon_dick | December 10, 2008 6:47 PM | Report abuse

The latest version of NoScript generated a cross-scripting error when I tried to comment on Kathleen Parker's Dec. 10 article. Is this type of thing happening to other people? I downloaded the latest update for NoScript this morning.

Posted by: Heron | December 10, 2008 8:41 PM | Report abuse

Hi Heron. Thanks for the heads up. Noscript actually is pretty good at finding potential cross site scripting vulnerabilities, although it isn't always correct. Would you be willing to send me the log or link that generated this report? If there is an XSS vuln on one of our pages, I'd like to get it taken care of.

Posted by: Brian Krebs | December 10, 2008 9:01 PM | Report abuse

Okay, BK. I just tried posting a new comment to the same article:

When I clicked on the "Post" button to submit my comment, Firefox produced this error message: "A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete."

The script file was called: "Script: file:///C:/Documents%20and%20Settings/[name in Firefox profile, sanitized for privacy].YOUR-PA86Z1I3G7/Application%20Data/Mozilla/Firefox/Profiles/x0rwci36.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D/components/noscriptService.js:5935".

The beginning of the error console note said:

[NoScript XSS] Sanitized suspicious request. Original URL [
[text of what I wrote in the comment box]

Is this a benign error message, or has the Post been hit by a cross-scripting attack? Thanks.

Posted by: Heron | December 11, 2008 6:58 AM | Report abuse

Oh, one more thing. A Post error message appeared after the rest of what I wrote about happened: "Your comment contains content that violates our discussion policy. Please edit and resubmit." My comments weren't in violation of the policy.

Posted by: Heron | December 11, 2008 7:01 AM | Report abuse


The comment system deployed in some Washington Post sections uses cross-site JSON, like in your case. JSON messages are valid JavaScript syntax, therefore they're likely to trigger XSS warnings.

NoScript's recent versions, though, are pretty good at recognizing "static" (innocuous) JSON from executable JavaScript, but this may be time consuming and if the analysis time exceed 8 seconds NoScript assumes a DOS attack and flags the cross-site request as suspicious anyway. That's probably what's happening to you.

Could you please send me the full (unedited) [NoScript XSS] line of yours, so I can try to further optimize the filter on your sample, if possible? My mail address is easy to find on

In the meanwhile, you can complete the transaction, which is surely benign, by using the "Unsafe reload" command, reachable from the "Options" button on the XSS notification bar itself.

Posted by: gma1 | December 11, 2008 8:52 AM | Report abuse

Brian, I just sent the information to you via the Post's email form. Did you get it?

Posted by: Heron | December 11, 2008 9:27 AM | Report abuse

@Heron - Yes, I got it, thanks.

Posted by: Brian Krebs | December 11, 2008 9:38 AM | Report abuse

I received your message too, and I can confirm your request is surely benign.
Actually on my system (with a quad core 2,6Ghz CPU) your request took 4,5 seconds to process, therefore it doesn't trigger the XSS warning which, at this point, we can safely relate to the 8 seconds anti-DOS timeout.

So, if you didn't yet, you can go on and submit your comment using the "Unsafe reload" feature. As I said, I'll try to optimize the JSON parsing to prevent these timeouts on slower CPUs in next NoScript versions.

P.S.: actually I just noticed that when I tested your request succesfully, I accidentally posted your own comment about Obame in my name. Please "reown" it, and sorry for the inconvenience :)

Posted by: gma1 | December 11, 2008 12:54 PM | Report abuse

Brian, the Microsoft security advisory you mention doesn't address this matter, but have you heard whether the vulnerability also affects the Internet Explorer 8 betas ?...


Posted by: mhenriday | December 11, 2008 12:58 PM | Report abuse

@Mhenriday -- No I have not.

Posted by: Brian Krebs | December 11, 2008 2:03 PM | Report abuse

Thanks to your report, the issue is now fixed with the added benefit of a 100x boost in JSON processing performance.
Please help testing beta from

according to latest Microsoft Bulletin updates, IE8 is affected as well:

Posted by: gma1 | December 12, 2008 11:54 AM | Report abuse

I've noticed that since I downloaded the beta version of NoScript referenced above, I no longer have to wait to see my posts in this blog. There used to be a time lag, during which I'd wonder if the post was going to actually appear. Thanks again, gma1.

Posted by: Heron | December 17, 2008 1:09 PM | Report abuse

Posted by: mpdooley | December 17, 2008 8:24 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company