Porn sites use new IE bug to install spyware
-
Porn sites use new IE bug to install spyware
IDG News Service 9/19/06
Robert McMillan, IDG News Service, San Francisco Bureau
Hackers are taking advantage of a newly discovered vulnerability in Internet Explorer to install spyware on PCs that visit a number of Russian porn sites.
The malware, first reported Monday by researchers at Sunbelt Software Inc., takes advantage of an unpatched flaw in the way IE processes Vector Markup Language (VML) code. VML is a language used to display graphic information on the Web.
The attack appears to work on all versions of Windows running the IE 6 browser, said Eric Sites, Sunbelt's vice president of research and development. "It's not an operating system-dependent issue," he said.
Sunbelt first discovered the malware on a Russian porn site late Friday. "This site and a couple of others use an exploit kit called Web Attacker, and it looks like the Web Attacker kit has been upgraded to include this new exploit," Sites said.
Since Friday, Sunbelt noticed that the attack code has popped up on about a half-dozen Russian porn sites. In addition, since security researchers estimate that Web Attacker is used by nearly 1,000 Web sites, this latest exploit should soon become more widespread.
Web Attacker is a software development kit sold for as little as US$20 to criminals looking for an easy way to develop malware.
"Since it's being built into the next version of the Web Attacker kit, we expect that this thing will be everywhere in a few days," said Sites.
Whether the attacks will be widespread enough for Microsoft to rush to patch the flaw remains to be seen.
On Tuesday, Microsoft confirmed the Sunbelt team's findings, and said it planned to fix the VML bug in its next set of security patches, scheduled to be released on Oct. 10, "or sooner as warranted," according to a statement from the company's public relations agency.
This is the second unpatched flaw found in IE over the past week. On Sept. 14, researchers posted code that could be used to exploit a different vulnerability in a multimedia component of Internet Explorer. Microsoft is still investigating that flaw and is not saying whether it too will be patched next month.
Sunbelt says that users can avoid the VML attack by disabling Javascript on their browsers. More information can be found on the Sunbelt blog, located here: http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html.
Bob McMillan is U.S. Correspondent for the IDG News Service. -
Porn sites exploit new IE flaw
By Joris Evers
http://news.com.com/Porn+sites+exploit+new+IE+flaw/2100-7349_3-6117407.html
Story last modified Tue Sep 19 16:23:58 PDT 2006
advertisement
Miscreants are using an unpatched security bug in Internet Explorer to install malicious software from rigged Web sites, experts warned Tuesday.
The vulnerability lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a Web site or an e-mail message, several security companies said.
"Fully patched Internet Explorer browsers are vulnerable," Ken Dunham, director of the rapid response team at VeriSign's iDefense, said in an e-mailed statement. "This new zero-day attack is trivial to reproduce and has great potential for widespread Web-based attacks in the near future."
Security-monitoring companies Secunia and the French Security Incident Response Team have given the issue their most serious ratings.
Shady adult Web sites are among the first to exploit the IE vulnerability, Eric Sites, vice president of research and development at spyware specialist Sunbelt Software, wrote on a corporate blog. In one case, a malicious Web site used the exploit to install "epic loads of adware," according to Sunbelt.
Microsoft plans to fix the flaw as part of its monthly patching cycle on Oct. 10, the software giant said in a security advisory. The update might be released sooner, "depending on customer needs," Microsoft said. Typically, Microsoft only breaks its patch cycle when attacks are widespread.
The number of attacks may rise quickly, according to Web security company Websense. It appears that WebAttacker, a tool often used to create attack sites, has been fitted with the new exploit, Websense said in an e-mailed statement. "We have confirmed multiple, previously known, WebAttacker sites that are currently exploiting this vulnerability to install malicious software," Websense said. "We expect to see many of the several thousand WebAttacker sites begin to utilize the exploit, as they update to the latest release of the tool kit."
"Microsoft is aware that this vulnerability is being actively exploited," the company said in its advisory. While it works on an update, Microsoft recommends users keep their security software updated and take caution when browsing the Web. In its advisory, it also provides several workarounds to protect systems against the flaw.
The vulnerability lies in a Windows component called "vgx.dll." This component is meant to support Vector Markup Language documents in the operating system. VML is used for high-quality vector graphics on the Web.
This is the second known and unpatched flaw for IE to surface in as many weeks. Last week Microsoft confirmed a flaw in an ActiveX control related to multimedia. Attack code that exploits the flaw and could be used to hijack Windows PCs running IE 5 or IE 6 has been posted on the Net. Microsoft also has yet to provide a patch for a Word 2000 flaw being exploited in targeted cyberattacks.
Copyright ©1995-2006 CNET Networks, Inc. All rights reserved. -
thank goodness i use mojilla~
-
Disable JavaScript all don't need to access Hotmail....
Hotmail uses JavaScript...
Unless you don't mind signing in manually through Mozilla. -
i dont like russian porn.
-
sarpot chinese porn...
-
lucky I use Fx.
-
lucky i dont surf porn and use IE ...
-
Do your ancestors proud! Surf chinese porn only!
No damn japs or ang moh porn! -
Not me not me, I don't use IE to surf porn.
-
Maybe this thread should go to Bar instead...
-
And give the mods here a lot of trouble solving viruses, spywares and other nonsense?
-
i used ie 7 rc1. is it affected?
-
heng i no surf russian porn..
-
no porn, no IE, no fear
guess which is a lie -
any jap porn?
-
Originally posted by ndmmxiaomayi:And give the mods here a lot of trouble solving viruses, spywares and other nonsense?
-
Edit: Microsoft confirmed it's not affected.Originally posted by GhostStalker:i used ie 7 rc1. is it affected?
But if you want to be sure, just go to the test site. If IE doesn't crash, it's good news.
-
affect affect lor.
ill just reformat the com. very fast one. -
so u surf porn from other countries....Originally posted by stellazio:heng i no surf russian porn.. -
http://www.eweek.com/article2/0,1895,2019162,00.asp
A patch is now available, not by Microsoft. By an organization called ZERT (Zero Day Emergency Response Team).
http://isotf.org/zert/
Patch
Instructions
Must read, anything crash due to not following instructions is your problem...
Release Notes Must read, those who didn't read and apply the patch don't come crying here...
Test the browser. If it is fully patched, it WILL NOT crash.
It's not tested on pirated versions of Windows. If your IE still crash after applying patch, that means it didn't work. Wait for other websites to release the patch... -
Some help for pirated Windows users if the patch doesn't work
- [*]Click Start, choose Run, and then type regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll
[*]Click OK, then click OK again in the confirmation dialog that appears.
To undo the command, use:
regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll
Microsoft Security Advisor ( 925568 )
Disable Binary and Script Behaviour
Note, however, that this only protects against the currently-known exploit, which could, of course, morph into something else entirely.- [*]Select Tools > Internet Options in IE
[*]Click the "Security" tab
[*]Click "Internet," then "Custom Level"
[*]In the "ActiveX controls and plug-ins" section, under "Binary and Script Behaviors," click "Disable," and then click OK.
[*]Repeat the last step above, but in the "Local intranet" zone.
Use another browser
For those who are too used to IE, you can download IE7 RC1. Microsoft says IE7 is not affected by it. Download IE7 RC1 here.
There are also IE-compatible browsers around, like Maxthon and Avant. They are built on IE, so you should be able to get used to it fast. -