One flaw lets an attacker run a program on a victim's machine, while the other enables malicious code to "cross zones," or run with privileges higher than normal. Together, the two issues allow for the creation of a Web site that, when visited by victims, can upload and install programs to the victim's computer, according to two analyses of the security holes.
The possibility that a group or company has apparently used the vulnerabilities as a way to sneak unwanted advertising software, or adware, onto a user's computer could be grounds for criminal charges, said Stephen Toulouse, security program manager for Microsoft.
"We consider that any use of an exploit to run a program is a criminal use," he said. "We are going to work aggressively with law enforcement to prosecute individuals or companies that do so."
Microsoft learned of the issue when a security researcher posted an analysis of the problem to the Full Disclosure security mailing list on Monday. The software giant has already contacted the FBI and is in the "early stages" of building the case, Toulouse said. The company is considering creating a patch quickly and releasing it as soon as possible, rather than waiting for its usual monthly update.
The flaws are apparently being used to install the I-Lookup search bar, an adware toolbar that is added to IE's other toolbars. The adware changes the Internet Explorer home page, connects to one of six advertising sites and frequently displays pop-ups -- mainly pornographic ads, according to an adware advisory on antivirus company Symantec's Web site.
On Tuesday, security information group Secunia released an advisory about the problem, rating the two flaws "extremely critical."
"Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0," the group wrote. "It has been reported that the preliminary SP2 (a major security update being developed by Microsoft) prevents exploitation by denying access."
The flaws could let any attacker with a Web site send an email message or an instant message with a link that, when clicked on by an Internet Explorer user, would cause a program to run on that victim's computer.
The original analysis, written by a Netherland student researcher, Jelmer Kuperus, who found that the type of programming needed to take advantage of at least one of the flaws required sophisticated knowledge of the Windows operating system.
"While sophisticated, it's so easy to use, anyone with basic computer science can set up such a page, now that the code is out there in the open," Kuperus wrote in an email interview with ZDNet UK sister site CNET News.com. "It's just a matter of changing two or three (Internet addresses) and uploading another" executable file.
Kuperus, who used an email account based in the Netherlands, wrote in an email on Monday that he had been tipped off to the adware Trojan horse by an unnamed individual.
"Being rather sceptical, I carelessly clicked on the link only to witness how it automatically installed adware on my PC!" he wrote.
The Internet address from which the adware Trojan horse was downloaded resolves to I-Lookup.com, a search engine registered in Costa Rica that antivirus firms Symantec and PestPatrol have linked to aggressive advertising software. Two of the top three searches on the site relate to removing such programs, according to I-Lookup.com's own statistics.
A domain name search shows i-Lookup.com's parent company to be Aztec Marketing, but Pest Patrol links the site with iClicks Internet. Emails sent to both companies for comment were not immediately answered.
Kuperus believes that i-Lookup.com's parent company may not be directly responsible for the adware-installing Trojan horse program, but that it could be rewarding the creator through an affiliate program.
"It does pass along a referrer code when downloading," he said. "Whomever created this probably is getting money for every install, so if the folks at (i-Lookup.com) would be willing, they would be able to track down the perpetrators."
Microsoft's Toulouse said Internet Explorer users could harden the software against such attacks by following instructions on the company's site. Other browsers available on Windows, such as Opera and Mozilla, do not contain the flaws.
Talkback
This happened to my computer, not sure what i clicked on that opened it but it installed the search bar and I cant remove it after a million aimless attempts. It doesn't allow me to remove it from add/remove programs because its NOT listed there. There isnt a name for it when I open it up but when I right click on it, it shows me it is called Intelligent Explorer, or realbar. I'm not sure if this is even the same one but it is extremily aggrivating to have something there that shouldnt normally be there. If anyone knows what this is, mind giving me some feedback? Thanks!
This happened to me last week and cost me a week's work. IE needs to be fixed NOW!!!! Norton Antivirus does not even detect the installed adware because it is an "Extended Threat". I had to manually remove everything. How sad is this?
This hit me June 13. I've been fighting it ever since. I've added a router, ZoneAlarm, an improved Norton AntiVirus, and I'm still fighting it.
The people who wrote this program should be shot, arrested, tried, convicted, and shot again.
Put a Linux box people and forget about viruses and backdoors
This toolbar forced me to switch to Mozilla Firefox, and have experienced no problems atl all since.
LOL
many years back, i had used microsoft windows 98 and microsoft had SECRETLY read ALL my documents WITHOUT MY PERMISSION.
why?????
it is a very big sin.
i pray everyday to the One and Only God to punish Microsoft some day and vanish from this world. and i hope it come sooner.
this shows the microsoft products are NOT SECURE AT ALL !!!!!!!!!!!!!!!!!!!!!!!!!!
from that day, i do not believe whatever microsoft "B.S." marketing is telling !!!!!!!!!!!!!!!!
and GOD, i had EXPERIENCED AND TIRED of doing the non-stop service packs, patches and other updates for microsoft products.
Get AD-aware from:
http://www.lavasoft.nu/
(freeware) and try with that.
Ever since my 11 year old son visited a 'warez' site we have been plagued with pop-ups. Nothing stops them. We've tried the lot - noadware - spybot S&D -ad-aware, whatever we do they just keep coming. I suspect that some hidden script has modified IE in some way, because the problem does not affect Firefox. There is no obvious toolbar or alteration to IE but I am as sure as I can be that it has been compromised. I would like to remove IE altogether and just use Firefox, or ideally, reinstall a more robust and less vulnerable IE.