Microsoft issues emergency patch to fix IE flaw

By Robert Westervelt, News Editor 17 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued an emergency out-of-cycle patch Wednesday to prevent ongoing attacks from successfully exploiting an XML flaw in Internet Explorer.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The MS08-078 update corrects an XML processing error and affects all currently supported versions of IE running on Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.

Initial reports of attacks in the wild said that only IE 7 was targeted, but after further investigation, Microsoft extended its warning to include all versions of the browser. A group of Chinese security researchers admitted to mistakenly releasing the code in the wild. The exploit is being tied to the Chinese Knownsec security team, which wrote a blog post explaining the blunder.

Microsoft IE flaw timeline: Dec. 12 Microsoft zero-day attacks target all versions of IE: In an update to an earlier advisory, Microsoft warned that all versions of Internet Explorer are vulnerable to an attack on an unpatched XML handling flaw.   Dec. 11 Microsoft acknowledges Internet Explorer zero-day attacks: The exploit was mistakenly released by a Chinese security team. Dec. 10 Unpatched Internet Explorer 7 flaw under attack: A new exploit for IE 7 is being used against fully patched Windows XP and Windows 2003 systems. Dec. 9 Microsoft fixes critical flaws in Office, IE: Dangerous flaws could allow an attacker to access sensitive files and gain complete control of a computer. More than two dozen flaws were patched. More Microsoft news: Microsoft updates code analysis tool, SQL injection XSS library: The tools for developers help identify flaws to protect enterprise applications against SQL Injection and cross site scripting attacks.

"You try to give enough information to make people aware but occaisionally give too much information," Henry said.

No vendor is immune to exploit code spreading in the wild, Henry said. In addition to Microsoft, Mozilla and Apple issued updates recently, addressing serious browser flaws.

"The browser has become the gateway onto the network," he said. "Web based malware is a huge problem and people aren't patching their browsers."

Since the discovery of attacks in the wild on Dec. 11, Microsoft said that 1 in 500 Internet users may already be infected. The software giant said hackers are planting the exploit on websites using SQL injection techniques. A successful attack infects systems with the Downloader-AZN Trojan, which then connects to a remote website and downloads additional malware. Although attacks have been limited, security experts warned that if carried out successfully, they could give an attacker the same user rights as the local user, and ultimately the ability gain access to sensitive data.

The zero day was discovered just a day after Microsoft issued eight security bulletins to repair 28 flaws in its product line, including several serious flaws in Internet Explorer.

Eric Schultze, chief technology officer of patching vendor Shavlik Technologies, called media reports of the IE flaw overblown. Some called for users to switch to alternative browsers. The attack is no different than other zero-day flaws reported in the past, and now with a patch released users will be protected, he said.

"Those so called legit websites passing on this infected exploit have many more issues to deal with," Schultze said in a phone interview. "The attackers seemed to have taken a liking to this particular issue, actually hacking into Web servers to inject code and infect sites."

Prior to the patch release, Microsoft recommended several workarounds. Those that implemented them found that it broke functionality for some internal applications, Schultze said. Some security pros who implemented the workarounds will now have to deploy the patch and reverse them.

"In some cases they thought it was a serious enough threat to implement the workarounds anyway," he said. "It's a risk reward thing."

Danish vulnerability clearinghouse Secunia has given the flaw an extremely critical rating because it is being actively exploited.

This fix marks the second time in only two months that Microsoft has released a security patch outside of its monthly cycle. It usually issues patches on the second Tuesday of each month. Microsoft issued an out-of-cycle patch in October, correcting a dangerous remote procedure call (RPC) error. That flaw was also being actively exploited in the wild. Prior to that, Microsoft released a patch in April 2007, fixing a Windows ANI curser handling flaw.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary