[img]http://media.washingtonpost.com/wp-srv/technology/icons/securityFix_454X67.gif" alt="Security Fix" border="0" height="67" width="454"]
Brian Krebs on Computer Security [!-- banner assignment ends here --] [h3]Attacks on Unpatched IE Flaw Escalate[/h3]More than 200 Web sites -- many of them belonging to legitimate businesses -- have been [a href="http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=451"]hacked and seeded with code[/a] that tries to take advantage of a [a href="http://blog.washingtonpost.com/securityfix/2006/03/exploits_released_for_unpatche.html"]unpatched security hole[/a] in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites. In [a href="http://blogs.technet.com/msrc/archive/2006/03/25/423116.aspx"]an update[/a] to its Security Response Web log, Microsoft security program manager [a href="http://www.stepto.com/"]Stephen Toulouse[/a] said the attacks Redmond is seeing against the IE flaw "are limited in scope for now and are being carried out by malicious Web sites." [/p] I have to call Microsoft out on both counts, and I think some of what I've uncovered so far about these attacks should make it clear that the situation is serious and getting worse by the hour.[/p] According to a list obtained by Security Fix, hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors). Among the victims are a regional business council in Connecticut, a couple of vacation resorts in Florida, a travel-reservation site, an online business consultancy, an insurance company, and a site featuring things to do at various cities across the country.[/p] On Friday, hackers broke into the Web site of shipping company DLPromotionFreight.com and planted code that attempted to use the flaw to steal user names and passwords stored by IE. Yaniv Zahavi, chief technology officer for Intermakers Inc., the Plantation, Fla., company that manages the site, said it appears that only a handful of customers browsed the site during the few hours the attack code was present.[/p]Security Fix learned the location of one Web site being used as a virtual drop box for user name and password data stolen from people who'd visited the network of hacked sites (the SANS Internet Storm Center has [a href="http://isc.sans.org//diary.php?storyid=1221"]a great post[/a] detailing exactly what one of these data-dump reports looks like). One of those victims was Abdel Marriez, a truck driver from Astoria, N.Y. The malicious program stole credit card information and credentials he used to access his e-mail online.[/p] Marriez said he couldn't understand how the code could have landed on his computer, since he said he is fastidious about ensuring his Norton anti-virus program has the latest updates from Symantec. After this experience, he said, he plans to change browsers.[/p] "IE and me are through, that's it," Marriez said. [/p] That same password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN). Chowdhury also uses Norton anti-virus, which did not pick up any signs of infection. He said he won't rely on his anti-virus program to clean things up.[/p] "It's really not worth the risk," Chowdhury said. "I'm going to reinstall [the operating system] just to be sure."[/p] Both of these situations illustrate the dangers of relying on only anti-virus software. That is not to say anti-virus software is useless. It is a necessary element of protection for any Windows PC, and for better or worse will remain so for the foreseeable future. But there is a window of time between the creation of a new virus or worm and the availability of new anti-virus "definitions" that identify the intruder as malicious.[/p] Microsoft says Windows users should "take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code" and that people who want to use IE should either disable "active scripting" or download the [a href="http://www.microsoft.com/windows/ie/ie7/default.mspx"]IE7 beta2 preview[/a]. [/p]Instructions for disabling active scripting are under the "workarounds" section of [a href="http://www.microsoft.com/technet/security/advisory/917077.mspx"]this Microsoft advisory[/a] (which incidentally is three clicks away from Microsoft.com homepage). Microsoft warns, however, that this may cause problems loading some Web sites.[/p] Indeed, I tested this solution as Microsoft recommends and found I could no longer access my Web mail. Turns out I also needed to add it to my list of "trusted sites," though Microsoft's advisory doesn't really make that clear. See this [a href="http://blogs.zdnet.com/Ou/?p=133"]non-Microsoft site[/a] for a decent tutorial on how to set up your trusted-sites list. [/p]Rather than download a "beta" (read: potentially unstable) version of IE or wait around for Microsoft to issue a fix, a far better idea would be to ditch IE altogether (or only use it only when absolutely necessary). I use [a href="http://www.mozilla.com/firefox/"]Mozilla's Firefox[/a] for everyday browsing, but your mileage may vary. There are other options, of course, such as [a href="http://www.opera.com/"]Opera[/a] and [a href="http://browser.netscape.com/"]Netscape[/a], to name a couple. [/p] What amazes me is how many Windows users seem to blindly equate Internet Explorer with access to the Internet -- in much the same way that many America Online users are unsure whether they can use someone else's browser once they've signed on to their account. Even after you tell people that they may have just been whacked with a virus due to a flaw in IE, they still use it.[/p] Case in point: One guy I contacted to tell him his site was serving up this exploit code went to check his home page and then told me his browser just crashed on him. I had to ask: "Don't tell me you just visited the site in IE?" He had. I could only shake my head and sigh.[/p] By Brian Krebs | March 27, 2006; 07:23 AM ET
