IE flaw bypasses fully patched systems

Share this article:

Users of Microsoft's Internet Explorer (IE) browser were warned today of new exploits that affect even fully patched systems.

A buffer overflow flaw exists in IE's Vector Markup Language, a component of Extensible Markup Language that specifies vector images in a XML document for display.

Attacks have attempted to execute a downloader trojan that can install malicious code onto a vulnerable machine, according to Ken Dunham, director of the Rapid Response Team at VeriSign iDefense.

"This new zero-day attack is trivial to reproduce and has great potential for widespread web-based attacks in the near future," he said.

Dunham told SCMagazine.com that the exploit is related to the WebAttacker Framework toolkit that Russian hackers have sold online.

"This attack toolkit contains multiple exploits for both IE and (Mozilla) Firefox and is used to launch many types of codes," he said. "This greatly increases the likelihood of prevalence for this new vulnerability added to the WebAttacker toolkit suite of exploits."

The exploit can be migrated by turning off JavaScript, according to numerous researchers, although that is only one of the vectors it uses for attack.

A Microsoft spokesperson said today that the Redmond, Wash., company is aware of the exploit and preparing a fix for its Oct. 10 Patch Tuesday release, or sooner if the situation warrants.

Microsoft released an advisory on the vulnerability today.

The software giant encouraged PC users to keep anti-virus software up to date and scan for malware.

Earlier this month, hackers published proof-of-concept code for a newly discovered IE flaw, which can allow an attacker to execute malicious code on an affected machine.

Eric Sites, vice president of research and development for Sunbelt Software, told SCMagazine.com that the malware is "pretty dangerous because it blows by any patched Windows IE version."

"We think this is a new version of the WebAttacker kit. We're not sure if someone just took the kit and modified it to fit the exploit, or if someone is selling a new version of the kit," he said.

Microsoft released only three fixes in this month's Patch Tuesday distribution, with only one of the fixes deemed "critical."

Gunter Ollman, director of X-Force for Internet Security Systems (ISS), told SCMagazine.com today that ISS has been working with Microsoft on developing protection for the flaw.

"This has been posted to multiple sites. The sites that are hosting this malicious material are the sites that have been created with the sole purpose of distributing malicious content," he said. "Some of the sites also host multiple variations of this exploit."

ISS said in an advisory today that that an attacker may craft a malicious HTML document onto a website to trick the user into loading the malware onto his or her browser.

Click here to email Frank Washkuch Jr.  

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

VBA malware on rise, templates make it easier to write code

VBA malware on rise, templates make it easier ...

Researchers at SophosLabs found an uptick in VBA samples in July.

Analysts spot 'Critolock,' ransomware claims to be CryptoLocker

Trend Micro noted several differences between Critolock and CryptoLocker, however.

Citadel used in APT attacks against petrochemical firms

Citadel used in APT attacks against petrochemical firms

In an interesting twist, financial malware Citadel was used to infect firms outside of the finance sector via APT attacks, Trusteer found.