Windows

New zero-day IE7 exploit is in the wild

A new IE7 exploit is now making the rounds. It has already been incorporated in toolkits that install information-stealing trojans. Read on to learn more.

A new zero-day Internet Explorer 7 exploit is now out in the wild. It's a drive-by dropper that resides on malicious Web sites. Brian Krebs, the tireless security watchdog for the Washington Post, points out all the details in his blog "Microsoft Investigating Reports of New IE7 Exploit."

iDefense, a Virginia-based security firm, made mention that the exploit may have been accidentally released by a Chinese IT security group that mistakenly thought Microsoft already patched the vulnerability. The following quote is from their Dec. 10, 2008, blog "Exploitation for Unpatched Internet Explorer 7 Vulnerability in the Wild" (pdf):

"On Dec. 9, 2008, security researchers found a previously unknown vulnerability in Microsoft Corp.'s Internet Explorer 7.0 being exploited in the wild. This exploit has already been incorporated into Chinese exploit toolkits and is actively being used to install information stealing Trojans that target online games."

Acknowledged by MS

Microsoft has finally acknowledged the problem in Security Advisory (961051):

"Microsoft is investigating new public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008."

It's important to know that the massive Windows update just released on Dec. 9, 2008, doesn't have a patch for this vulnerability.

Domains hosting malicious Web sites

Shadowserver.org, a volunteer security group, has listed many of the domains that are hosting the exploit-carrying Web sites. The list is published on their blog "IE7 0-Day Exploit Sites." They also mention some detection and prevention information as well places to get Snort rules for the current unmodified variants.

Final thoughts

This exploit is important, and sadly there's no Microsoft solution at this time. Once again the simplest solution is to use an alternative browser such as FireFox, Chrome, or Opera. I doubt Microsoft would make that suggestion though.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

112 comments
Neon Samurai
Neon Samurai

Firefox 3.0.5 update is out, hit the update link from your FF help menu if you haven't yet today. Windows IE patches have not appeared on the update site yet.

jfreedle2
jfreedle2

Yet another reason to stay off the Internet.

chatch
chatch

Who uses IE7 anyways? What about the beta IE 8? Is this exploit also in IE 8? Get Opera.

masterstewart
masterstewart

IE8 Beta Does anyone know about IE8 Beta does this exploit also effect browser. Master Stewart

steve
steve

Given the architecture and problems with IE, I wonder why we bother with it. I know all browsers have some deficiency, and that some sites just need IE because they break standards so badly; but in the main sites are becoming more standards compliant, and we can afford to relegate standard-breakers and dangerous architectures to the garbage bin. My question to those who complain "I got infected" or "my PC is broken" is "have you considered Firefox or Opera browsers?". Even better, if you are pretty much a vanilla user, get a good Linux distro like Ubuntu, SUSE, PC-Linux or Red Hat (to name a few). I've been running Ubuntu for several months now. I do all my web graphics and software development on it, and have never been so free of problems! And the upside - it's all free. Steve Barnes www.barnes-open.com.au

.Martin.
.Martin.

another problem with Internet Explorer (or infernal exploder). no longer use IE except for Windows Update...

JustinF
JustinF

I logged into my WSUS this morning expecting to see the update awaiting approval and nothing as yet. Any indication it was actually released as planned?

Michael Kassner
Michael Kassner

This is a big deal Oz. I must apologize, I haven't yet received any information from MS on this. I'm supposed to, but it doesn't matter. Any advanced warning to TR system admins is a very good thing, thanks for letting us know.

Michael Kassner
Michael Kassner

Except society and business are almost past the point of having that as an option.

Michael Kassner
Michael Kassner

I've read, but can't confirm this, but a source said that all version are vulnerable.

RosaNegra
RosaNegra

The link Michael noted above does say all versions from IE 5 through IE 8 Beta2

Michael Kassner
Michael Kassner

If the exploit was unknown to MS, I doubt that they would have fixed it in IE8. Also if you see my comment "More problems", I share a link talking about the fact that all the previous IE versions are vulnerable as well.

jg
jg

Take a look at Drive Sentry it protects against zero day attacks. www.drivesentry.com

Nori Sarel
Nori Sarel

Businesses are generally rather slow to upgrade when something is working "fine." 30% of the population is still on IE6 and I'm guessing a lot of that is businesses. But think of this. A mere 4 years ago IE had virtually 100% market share and now they have less than 80% (as low as 70% by some accounts). Thats a pretty hefty change and my guess is if MS doesn't get their act together that it will keep trending that way. I'll be pretty happy when IE6 dies since it is such a pain to use and program for. FF is beautiful and I hope it keeps making these leaps and bounds that it has been. Who knows, in another 4 years IE might be at 50% with safari at 8% and FF at 40% and others at 2%. That would be awesome!

Neon Samurai
Neon Samurai

Regular users buy the machine that the guy in the store told them they just gotta have. They get home and open up the included IE then think; "but I have a browser, why would I want a second one.. they are all the same aren't they? And what is this download and install business.. all to complicated.. I just want my facebook and porn." It's one of the benefits of having 90% of the market through clever business tactics rather than product quality. Marketing and popularity account for more than technical features unless one happens to be the techie type.

Michael Kassner
Michael Kassner

It's the on-going argument that probably will not be resolved anytime soon between the MS and Linux advocates. Many feel it's all based on the number of "targets of opportunity."

Michael Kassner
Michael Kassner

There are times when IE is defaulted to regardless of the fact that another browser is set as default. I'd bet quite a bit of money that the nasty types know those circumstances as well.

Neon Samurai
Neon Samurai

I checked when I got back from lunch and nothing, I checked five minutes later and there it was. FF and IE now patched and happy.

Oz_Media
Oz_Media

I don't need no steenkin' Microsoft. I cheated and actually got the info from a torrent release site. See, they aren't ALL just about stealing copyrighted material. ;)

Michael Kassner
Michael Kassner

Do you have any information or experience in that regards. I'd really like to learn about how that happens.

Michael Kassner
Michael Kassner

Just think of all the extra effort required to maintain a totally independent browser in a business setting.

chris
chris

Do we just not hear about FF issues as much or is it really better?

Neon Samurai
Neon Samurai

In the server market it is tested to some degree where the majority resulting targets of opportunity are not Windows based servers. I'd love to see it truly tested in the desktop space for a few reasons: - historically, FOSS has been faster to respond to exploitable flaws with a few exceptions. I think that fixes would continue to be patched in hours and days (there would be a patch for this already tested and available). - to truly test it, MS would have to not hold the monopoly share of the market. The end user would benefit from more open competition through product quality. Oh well. As long as MS holds 90% of the market, they should be held to the obligation of attending to there product quality.. in a perfect world anyhow. On the up side, they do have an update blog posting on the subject with workarounds listed. I've it open on another tab for this morning's reading.

Neon Samurai
Neon Samurai

Windows Update is one process that will pull up IE regardless of the default browser. That's attaching (or thinks it's attaching) to the MS servers though which need the ActiveX and MS only features of IE. IE is also base widget set for windows it seems so any other process will make use of it to draw the program interface. I haven't seen internet connected sites force IE to load other than Windows Update though. I've seen pages that won't function properly without IE but not ones that could ignore the browser default and initiate an IE session. Now I'm curious though, I have to go read the initial thread comment and see if I can track down any websites that do it.

Neon Samurai
Neon Samurai

It may be that some patch or your lack of coffee changed the auto-update setting at some point but forced updates while auto-update is disabled are not unheard of either. Has sp3 caused you grief in the past?

Dumphrey
Dumphrey

but when I got up this AM, my computer had rebooted its self, and gave me the "Your computer has been updated" slogan. I was only part awake, and will look into it when I get home, as its possible that I forgot to reset patch preferences after SP3.

Neon Samurai
Neon Samurai

Granted, I go through windows update to do it but always with the custom update button so I can see what I'm accepting. With a business setting, it's better to go with a centralized management system like wsus so you can properly manage the rollout though.

Oz_Media
Oz_Media

WinUpdate will get it for you if you trust WinUpdate to feed your PC.

Dumphrey
Dumphrey

as email admin is about 45-80% of my job depending on the day.... I need to check out spamcop more, I use to visit them regular but got side tracked by the Barracuda global stats pages.

Michael Kassner
Michael Kassner

That's what scares me as it's already causing havoc and MS seems rather tepid about it. They have to remember it's break time now and all sorts of younger types have time to develop scripts and exploits. It's amazing to see how the graphs at SANS and SpamCop go nuts during this time of year and at the beginning of summer break.

jg
jg

Suggest anyone wishing to try the product should run it alongside their existing AV for double security in situations such as this one. I just use DS on its own now and I love not having those incessant downloads that occur with conventional products, and it is free; unless you ask for background trickle feeds,in which case it's not expensive.

Michael Kassner
Michael Kassner

I read that as well, but Whitelisting doesn't always work as advertised. Having your vote of confidence gives it credibility.

jg
jg

I quote from the website "DriveSentry takes a different approach to conventional antivirus software. DriveSentry adopts a unique whitelisting technology and only allows good programs to access your computer?s memory, drives and data. This works in safeguarding you from zero day threats providing real-time up to the second security." I am not an under the bonnet techie but in simple terms: Rather than checking every program everytime it is run against a list of virus signatures, which need constantly updating. It checks whether the program is on the official whitelist. If it's not on it's not allowed to run, unless you give specific permission. So if your subscription to a conventional product has elapsed you are still protected. I have used for two years now, first of all in parallel with AVG or Avast but now on its own. A scanner is supplied with the product and I run this once a week as I used to with AVG Norton etc. If you have children who have forgotten to update their antivirus subscription , its a godsend. Any zero day threat is not allowed to run as it will not be on the whitelist. Hope this helps

Michael Kassner
Michael Kassner

I absolutely deplore IE and refuse to use it personally. Yet I totally understand the position taken by enterprises (sounds like you are experiencing the same) regarding the use of any other browser. It just adds all sorts of work. For example, my work computer for Orange Business Services is still on IE 6 and I can't do anything about that. I do appreciate your information, I had no idea that FF would meld into group policy, that's huge. I'm sorry for not knowing that, my only excuse is that I reside on the network side, (some say the dark side) more than the systems side.

neilb
neilb

you can download a firefox msi for installation using SMS, group policy or whatever. I believe that if you want to add a few additional FF extensions - IETab is one that comes in handy for manky IE-only websites - you can custom-build an installation package although I'm not too clued up on how you do that that. I looked into FF2 as a browser option a year or so ago as we were - and still are - thinking of switching. I ran across a company called FrontMotion who would do the packaging for a small fee. All you need once the FF is installed is the firefox.adm to snap into your GPO. Alas, we still only use and support IE (well, except for those of us who are rebels), so loads of "Don't go on the Net" warnings have been flashing around the office today. I just opened a couple of extra tabs and laughed... Neil :)

Michael Kassner
Michael Kassner

Can you go into more details, please? Is it as granular as MS group policy? Also I was really referring to the fact that additional software has to be installed and managed whereas group policy and AD is already there. I'm not saying one is better than the other, just that the simplest path is to use what's already available.

neilb
neilb

Well, at least two... So the excuse that the enterprise-wide management of FF is not possible isn't really valid.

Michael Kassner
Michael Kassner

The fact that FF needs to be managed on an individual basis is a huge detriment to System admins in enterprise situations. How do you make changes to 1000s of users. That's why IE and group policy is winning IMO.

Neon Samurai
Neon Samurai

So far it's been painless but we're far smaller than an enterprise. IE has the benefit of full control through AD policy settings. I've been wondering if such a thing existed for Firefox. In terms of supporting it, FF has not added any complications yet. In a past life though, the enterprise was locked into using IE by badly written webapps. It gets worse too, IE7 would break existing webapps so even upgrading the version was not an option let alone moving to a completely different html viewer.

bryantc
bryantc

There would not be that much extra work for the Enterprise since most are using some type of imaging software instead of manual installs on all new desktops/laptops/servers. The work would be in creating the image but you would have that work anyway. The biggest challenge is getting the internal developers (specifically web) to write their code to use whatever is the default browser and not just open IE.

Neon Samurai
Neon Samurai

FF being better or not is a topic no one can agree on but so far FF's history of vulnerabilities and time between report and patch have a better record than IE. FF also does not make use of ActiveX or embed itself deeply into every part of the OS so it's less open to exploitation through ActiveX and less potential results if it is used to break into the system. Also, FF's open policy means you can check out the bug reports and read over found and fixed flaws. Opera has a pretty good record also as far as browsers go. I'm not sure how Safari stacks up these days though.

Neon Samurai
Neon Samurai

Just deciding on how to measure "security" based on patch times and such is complicated let alone accounting for all the extra imposed variables outside of the purely technical challenges. We'd need an entire market shift before it could ever be empirically measured.

Michael Kassner
Michael Kassner

Also a subject that I'm no where near smart enough to determine what the answer is.

Michael Kassner
Michael Kassner

I know there are some examples, but I've not been able to recall any personally.

husnk3w02
husnk3w02

Just today when moving files from an SD card to my hard drive, I mistakenly deleted some files I had already moved from the card. I turned to a program I have used successfully in the past to recover files on my system: PC INSPECTOR File Recovery 4.x, which was able to successfully recover my files. However, if you click inside the program on the link to the home page or on the ad, guess what happens? Yep, it launches in Internet Explorer, regardless of your default web browser. And I wasn't even looking for an example ... http://www.pcinspector.de/default.htm?Language=1

Neon Samurai
Neon Samurai

Less of a comparison and more of a general overview and discussion. It'll still get ugly but most every discussion does if the forum runs long enough.

Michael Kassner
Michael Kassner

That's not my point though. I see that there appears to be all sorts of mis-information about what a browser does and can't do. My point is that a browser is the absolutely number one weak link in the us versus them malware war. So what should we do about it.

Neon Samurai
Neon Samurai

The one issue I see with it is that if you are going to contrast and compare, how do you gage an empirical measurement of the various browsers? It would be fantastically easy if all one needed do was count vulnerabilities and patches but in reality there is degrees of severity, time to patch, exploitable versus non-exploitable maintenance. I'd be interested in what you did come up with if from that angle or another I'm not thinking off currently.

Michael Kassner
Michael Kassner

OK, I checked all the dictionaries that I know of and that's a bunch. I'm not sure a 56 year old sport's challenged guy can swoop. I know I missed it Santee, you will have to spoon feed me on this one.

Michael Kassner
Michael Kassner

I sense that this is a good topic for an article. I'd appreciate everyone's thoughts on this. Web browsers are the number one attack vector today and IE is the weak link. Or is it? I see that we are divided about several topics, help me out. Do we need to get this figured out?

husnk3w02
husnk3w02

Just to clarify, when I posted "Unfortunately 75%+ applications fall into this category" - the category in question is "badly written," not "exhibits the behavior of launching Internet Explorer instead of the user's default web browser." That statement was more of a general statement on the state of application development. Although the statement was hyperbole, assume it was not for a moment. If 75% of applications were badly written, and all badly written applications launched iexplore directly, that would not mean that 75% of applications launched iexplore directly, because not all applications launch URLs at all. But to the main point - I have definitely seen many applications in my time that do launch iexplore directly. Maybe they were all long ago and more recent applications are better behaved, maybe not.

Tony K
Tony K

Been working in this industry for 20+ years, and in my current environment we've got 15k users using pretty much every application known to man and I just haven't seen this. Some other poster made the claim that 75%+ of apps do this, but I've never seen it...everything opens in Firefox (including Office Communicator 2007, which the other poster mentioned).

Neon Samurai
Neon Samurai

I could see any non-IE browser breaking if you load the windows update url directly. From the start menu included "Windows Update" icon and wupdmgr.exe you should be getting IE consistently just like Word, Excel and the rest of Windows uses IE as the interface widget set and framework. That's my understanding anyhow.

husnk3w02
husnk3w02

Only badly-written applications always launch Internet Explorer instead of the user's choice of default web browser. Unfortunately 75%+ applications fall into this category. Yes, many business applications do this, but also many smaller shareware/freeware utility-type applications. I've seen this behavior many times, and it aggravates me each time it happens, though I can't recall specific applications that do it. Short-sighted Windows developers write their application to launch "iexplore.exe [url]," which will launch Internet Explorer (which they know will always be available on a Windows machine) to the URL. Many times this is because they don't realize just how easy it is to launch a URL in the default browser instance. Instead of launching "iexplore.exe," just execute the ShellExecuteEx API with the URL as the parameter, and voila, the same URL opens, but in the user's default web browser instead of always Internet Explorer. I've also seen the same behavior for, say, .txt or .log files - an application will launch "notepad.exe [file]" instead of launching the default application for those type of files. The solution for this is exactly the same - just execute ShellExecuteEx to the file instead of launching a specific application! The developer doesn't even have to go to the trouble of querying the system to find out what application to launch - the API handles that for him. http://support.microsoft.com/kb/224816 A simple example for VB6: Call ShellExecute(Me.hWnd, "Open", "http://www.techrepublic.com", "", "", SW_SHOWNORMAL) Also to what seanferd said, "or Help and Support" - also HTML Help (.chm) files for individual applications. If there is a helpfile for an application that has a link in it, that link gets visited from within the WinHelp application, using Internet Explorer as the browser engine - it does not launch your default web browser. There are many applications that use IE "hosted" in the application to display web sites where the same is true.

dreron
dreron

Windows mess-enger, pretty much anything else that I?ve used honors the firefox default browser setting.

jak
jak

I'm not sure what you are doing different than me, but that is not the case here. When I am in Firefox, or have it set as default, Windows updates always fails to load until I change it. The only machines I have seen it work that way on is if they have IE Tabs loaded in Firefox.

Michael Kassner
Michael Kassner

I know some business app will use IE regardless of the default settings.

chris
chris

there are often lots of places that require IE. Some banking sites, certain CRMs, even apps used in house. As a PHP guy, I've never understood the need/desire to tie into the OS like that. I get the "fuller" experience, but I haven't really come across something that "needed" it.

Tony K
Tony K

I've never seen that behavior, could you provide an example? If I set Firefox to be my default browser, that's what launches when I click a link in any application. Perhaps you're using something I'm not and I'd like to know what to be wary of.

seanferd
seanferd

or Help and Support, rather, for MS applications. Although these should connect directly to MS, IE is still the engine. I wonder if the vulnerable bit is used here, or if it only affects the IE browser.

.Martin.
.Martin.

but MSN does my work website doesn't work on anything but IE either :p

Neon Samurai
Neon Samurai

At least it's an extra step if only a very small one (one, maybe two lines of code to make that connection?). Hopefully the publicity is enough to push MS for an early patch release.

Michael Kassner
Michael Kassner

A simple email in Outlook will trigger it. I think Communicator and Windows Messenger are the same way. I may be wrong though and would appreciate someone straightening me out on that.

Neon Samurai
Neon Samurai

all the local shortcuts are going to open through the IE engine as will anything else requiring the Windows widget set.. so, everything pretty much. At least in that case, one would have to get the exploit delivered to the local machine and trigger execution through IE so there is the minimal outer layers to filter out the ill intended noobs and save your rig for the scary well written exploits.

Michael Kassner
Michael Kassner

If there is a link any any document or email, many times IE will open instead of your default browser.

Editor's Picks