Risk
12/16/2008
03:03 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Issuing Emergency Patch For Internet Explorer

Without the fix, hackers have the potential to access a computer's memory space, causing IE to exit unexpectedly, in a state that can be exploited.

Microsoft is planning to release an out-of-band patch for Internet Explorer on Wednesday to address a critical security vulnerability that's being actively exploited.

The company on Saturday warned that 1 in 500 Internet Explorer users worldwide may have been exposed to malware hosted at both legitimate Web sites and porn sites that exploit an unpatched vulnerability.

Microsoft confirmed finding exploit code on a search engine in Taiwan and on a Web site in Hong Kong that serves adult entertainment content.

"Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability," Microsoft Security Response Center researchers Ziv Mador and Tareq Saade said in a blog post. "That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: We saw an increase of over 50% in the number of reports today compared to yesterday."

Microsoft's estimate works out to as many as 1.4 million potential victims, assuming there are a billion active Internet users (estimates range from 800 million to 1.5 billion), about 70% of whom are using Internet Explorer. The number of potential victims would drop to 940,000 if only Internet Explorer 7 users (47% browser market share) were affected. And those numbers represent only potential victims: Not all those exposed would be necessarily become infected.

The security hole in Internet Explorer has snowballed since last week when Microsoft in a Security Advisory said, "At this time, we are aware only of limited attacks that attempt to use this vulnerability."

"The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer," explained Christopher Budd, Microsoft security response communications lead, in an e-mailed statement. "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."

Since last Tuesday, Microsoft has updated its advisory four times. It expanded the list of potentially affected versions of Internet Explorer to include not only IE 7, but also IE 5.01 SP4, IE 6, IE 6 SP1, and IE 8 Beta 2. It also added several workaround options that involve disabling certain features.

Microsoft however says it is aware only of attacks affecting Internet Explorer 7 under the following systems: Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.

Despite Microsoft's suggested workarounds, U.S. CERT said, it is "currently unaware of a practical solution to this problem." Wednesday's patch should provide a solution.

In a blog post on Tuesday titled "Stop Viewing Porn In Internet Explorer ... For Now," Graham Cluley, senior technology consultant at Sophos, said that his company is seeing about 20,000 new infected Web pages appearing every day and that most of those sites are legitimate sites compromised by SQL injection attacks.

Stephan Chenette, manager of security research at Websense Security Labs, said in a phone interview that he's seeing a lot more legitimate sites being infected than porn sites. "I would characterize the severity as quite critical," he said. "It has quickly become the exploit of choice among attackers."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-2214
Published: 2015-03-05
NetCat 5.01 and earlier allows remote attackers to obtain the installation path via the redirect_url parameter to netshop/post.php.

CVE-2015-2215
Published: 2015-03-05
Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters.

CVE-2015-2216
Published: 2015-03-05
SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter.

CVE-2015-2218
Published: 2015-03-05
Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) item[name] or (2) item[customcss] parameter in a w...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.