Network News

X My Profile
View More Activity

New attack targets weakness in Internet Explorer

Blueprints showing attackers how to exploit a previously unknown security hole in versions of Microsoft's Internet Explorer browser recently were published online. The danger here is if IE users browse to a hacked or booby-trapped Web site that uses the exploit, that site could install malicious software.

Microsoft has not yet issued an advisory about this threat. According to initial reports from Symantec and vulnerability management firm VUPEN, the exploit works against IE 6 and IE 7 versions only. The vulnerability apparently resides in the way IE handles so-called cascading style sheet information (CSS), which a great many Web sites use to control the design and formatting of text and other site elements.

Symantec reports that the attack code is a bit buggy and unreliable at the moment, but that a fully-functional and more reliable exploit almost certainly will be released soon. Symantec advises IE users is to make sure anti-virus software is installed, to disable Javascript and only visit trusted Web sites until Microsoft issues a patch.

But as I've noted frequently, the advice to avoid untrusted Web sites is a tad hollow in a world in which a fair percentage of the malicious sites out there are legitimate sites that have been hacked or otherwise compromised. Consider what would happen if a tainted banner ad containing this exploit were to run on a series of high-traffic Web sites (a la the bad ads that ran on the New York Times' site earlier this year).

Now might be an excellent time for diehard IE users to either upgrade to IE8, or to try out another browser, such as Firefox or Opera. Firefox, combined with either the Noscript or Request Policy add-ons, goes a long way toward helping users insulate themselves from these types of malicious scripting attacks.

Update, 10:55 p.m. ET: Microsoft issued an advisory about this flaw, available here. Redmond says the vulnerability affects Internet Explorer 6 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

By Brian Krebs  |  November 23, 2009; 10:59 AM ET
Categories:  Latest Warnings , Safety Tips  | Tags: 0day, ie  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Alpha Software disclosure leads to confusion
Next: Spam 'Godfather' gets 51 months in prison


"Now might be an excellent time for diehard IE users to either upgrade to IE8, or to try out another browser, such as Firefox or Opera."


Actually, now is an excellent time to dump Windoze and switch to a Mac running Firefox or Safari.

Posted by: SilverSpring8 | November 23, 2009 1:41 PM | Report abuse

Good one Bk. Thank very much. What you point out about infected ads on legit websites is very important punters grasp. Hope they do. Cheers and thanks again.

Posted by: Rixstep | November 23, 2009 2:57 PM | Report abuse

IE is a bowser of a browser. Second SilverSpring8's idea. It's worth the peace of mind to pay a little more for a Mac

Posted by: GWGOLDB | November 23, 2009 3:00 PM | Report abuse

For some reason a lot of websites have been forcing my IE8 into mobile viewing mode. Is that a bug or a potential problem?

Posted by: pj48 | November 23, 2009 10:53 PM | Report abuse

Are there still IE6 & IE7 users out there ???

Oh yea, the upgrade costs too much. LOL

Posted by: | November 23, 2009 11:03 PM | Report abuse

How is it that people/groups can post these hacks and I never read about anyone getting caught/prosecuted/pay restitution. I guess it's easy to find hole and avoid detection if you know what you're doing?

Must be exciting for the hackers to screw up a good thing. Kinda like big kids beating up little kids on the playground or pulling the wings off butterflies. Just plain mean spirited.

I got it. You're good with computers. I have skills too, but I just don't use them to mess with people or screw up peoples computers? I know, you're laughing now with the same weird sense of twisted morality "haha loser" - what's wrong with your mindset.

Posted by: Yeziam | November 24, 2009 5:51 AM | Report abuse

Friends don't let friends use internet exploder.

Posted by: dalkorian | November 24, 2009 1:02 PM | Report abuse

With regard to the question asked above, according to the today's statistics from StatCounter ( ), the world-wide market share for IE7 is about 22 %, for IE6 16 %, and for IE8 19 %. For comparison, Firefox 3.5.x has a market share of 20 %, while Firefox 3.0.x has a share of 11 %....


Posted by: mhenriday | November 24, 2009 5:02 PM | Report abuse

Brian Krebs,God bless you, you are a real HELP and thank you.

Posted by: mczonkwa1 | November 26, 2009 4:08 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company