An unpatched security hole in Internet Explorer that is being exploited affects all versions of the browser, making it more serious than originally believed when it was first publicised on 10 December, Microsoft has said.
Microsoft is investigating reports of attacks against a new vulnerability in IE but said in an update to a security advisory issued late on Thursday that all versions of IE are potentially vulnerable.
The company recommends setting the internet zone security setting to 'high' and using access control lists to disable Ole32db.dll to provide the most effective protection against an attack.
"Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems," Christopher Budd writes in the Microsoft Security Response Center blog.
Microsoft has seen several hundred detections of exploits from around the globe, though the sites taking advantage of the vulnerability appear to be hosted on Chinese domains, Microsoft said in a Microsoft Malware Protection Center blog.
"The exploit sites we've seen so far drop a wide variety of malware — most commonly password stealers like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; Trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack," the Malware Protection Center blog said. "We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the internet underground," it added.
People visiting trusted sites could also be affected from sites targeted by SQL injection attacks through which malicious code is injected into sites, Microsoft says.
A Microsoft spokesman said he could not say when a fix would come. The next Patch Tuesday is scheduled for 13 January.
Microsoft's updated advisory lists a number of mitigating factors: Protected Mode in IE7 and IE8 in Windows Vista limits the impact of the vulnerability; IE on Windows Server 2003 and 2008 runs in a restricted mode known as Enhanced Security Configuration that sets the security level for the internet to high; the attacker could only gain the same user rights as the local user; known attacks can not exploit the issue automatically through email.
Talkback
I have removed the IE icon from my desktop, and threatened my grandkids
with expulsion if I catch them using IE. IE has always been an accident waiting to happen. One would think Redmond would have rebuilt this POS a long time ago. They are only helping Firefox,and other browsers.
Ator, for the first time that I can recall, I disagree with you. IE is not an accident waiting to happen, it has already happened, over and over and over again, and it continues to do so.
I have a standard question that I ask of people when this kind of issue comes up. Would you accept this sort of behavior from anything else that you own? What if your TV turned itself off every once in a while, or changed stations at random? Or your car? What if you had a home security system, and it just didn't work sometimes, so people could occasionally, but not always, walk into your house at will, or it needlessly sounded alarms at the police station.
Of course they wouldn't. But we are all supposed to be in awe of Bill Gates, and Microsoft, and this wonderful thing that they have created that is far beyond the ability of mere mortals like us to comprehend, so if there are occasional "glitches", that is supposed to be perfectly acceptable.
jw
I stand corrected, Mr Watson. You are quite right in that this quality of merchandise would not be acceptable in any other industry. I have always said the manufacturer of a product should be held responsible for any defects, and this includes software. Also, forcing consumers to pay for this software, pre-installed on a new computer, should be illegal, and refundable, if the consumer doesn't want it. If someone steals your identity by breaking into a bank's system, the software manufacturer should be held liable, but no, it is blamed on the IT department. Microsoft security is a contradiction in terms.
This post has been removed by a moderator.
This is the second time in 18 months that Microsoft has gone out of band to release an emergency patch (last time being October for the RPC issue) for the Internet Explorer, which is being actively exploited right now. There has been Proof of Concept (POC) code for the exploit available since December 11th. Coming just the week before christmas and given the wide use of IE within business enterprises and severity of the vulnerability, clearly IT professionals need to patch this vulnerability as soon as business conditions permit. There were over 100 websites on the Dec 11th hosting some type of malware associated with this vulnerability. Today, that has grown to thousands of sites now hosting the malware.
Microsoft felt this issue warranted an out of band patch due to the underlying exploit being actively used in the wild and damage was mounting. Their are reports of up to 6000 compromised web sites hosting web pages that take advantage of the vulnerability.
A recent study titled “Understanding the Web browser Threat: Examination of Vulnerable Online Web browser Populations and the Insecurity Iceberg" found that 57% of IE users were not running the most current version that’s patched. This will be a wake up call to IT professionals to make sure to patch their browsers. This speaks volumes to the underlying problem with web-borne malware. We as a community are constantly trying to outsmart the bad guys on their delivery method. However, it is not necessarily a delivery / obfuscation issue – the underlying issue is a failure to patch, including their browsers. A recent Verizon study showed that over 70% the exploits used in web-borne malware had vendor patches available for up to a year and less then 1% had patches available within a 30 day window. The web-borne malware issue is a patch management issue and can be simply fixed by patching in a timely fashion according to industry best practices.
...it is still there on more than half the Microsoft PCs out there.