Microsoft issued an emergency out-of-cycle patch Wednesday to prevent ongoing attacks from successfully exploiting an XML flaw in Internet Explorer.
The MS08-078 update corrects an XML processing error and affects all currently supported versions of IE running on Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.
Initial reports of attacks in the wild said that only IE 7 was targeted, but after further investigation, Microsoft extended its warning to include all versions of the browser. A group of Chinese security researchers admitted to mistakenly releasing the code in the wild. The exploit is being tied to the Chinese Knownsec security team, which wrote a blog post explaining the blunder.Paul Henry, security and forensic analyst at patch management vendor Lumension Security, said that within a day of the flaw details being released, he was able to download proof-of-concept code.
"You try to give enough information to make people aware but occaisionally give too much information," Henry said.
No vendor is immune to exploit code spreading in the wild, Henry said. In addition to Microsoft, Mozilla and Apple issued updates recently, addressing serious browser flaws.
"The browser has become the gateway onto the network," he said. "Web based malware is a huge problem and people aren't patching their browsers."
Since the discovery of attacks in the wild on Dec. 11, Microsoft said that 1 in 500 Internet users may already be infected. The software giant said hackers are planting the exploit on websites using SQL injection techniques. A successful attack infects systems with the Downloader-AZN Trojan, which then connects to a remote website and downloads additional malware. Although attacks have been limited, security experts warned that if carried out successfully, they could give an attacker the same user rights as the local user, and ultimately the ability gain access to sensitive data.
The zero day was discovered just a day after Microsoft issued eight security bulletins to repair 28 flaws in its product line, including several serious flaws in Internet Explorer.
Eric Schultze, chief technology officer of patching vendor Shavlik Technologies, called media reports of the IE flaw overblown. Some called for users to switch to alternative browsers. The attack is no different than other zero-day flaws reported in the past, and now with a patch released users will be protected, he said.
"Those so called legit websites passing on this infected exploit have many more issues to deal with," Schultze said in a phone interview. "The attackers seemed to have taken a liking to this particular issue, actually hacking into Web servers to inject code and infect sites."
Prior to the patch release, Microsoft recommended several workarounds. Those that implemented them found that it broke functionality for some internal applications, Schultze said. Some security pros who implemented the workarounds will now have to deploy the patch and reverse them.
"In some cases they thought it was a serious enough threat to implement the workarounds anyway," he said. "It's a risk reward thing."
Danish vulnerability clearinghouse Secunia has given the flaw an extremely critical rating because it is being actively exploited.
This fix marks the second time in only two months that Microsoft has released a security patch outside of its monthly cycle. It usually issues patches on the second Tuesday of each month. Microsoft issued an out-of-cycle patch in October, correcting a dangerous remote procedure call (RPC) error. That flaw was also being actively exploited in the wild. Prior to that, Microsoft released a patch in April 2007, fixing a Windows ANI curser handling flaw.