An exploit of an unpatched Internet Explorervulnerability has been added to a popular crimeware kit, a move thatwill probably push Microsoft to fix the flaw with an emergency update, asecurity researcher said Sunday.
Meanwhile, a prominent vulnerability expert has sided with Microsoft,which has said the bug will be difficult to exploit in Internet Explorer8 (IE8), the most popular version of the company’s browser.
Last week, Microsoft warned users of its IE6, IE7 and IE8 browsers thathackers were already exploiting a vulnerability in the programs bytricking them into visiting malicious or compromised Web sites. Once atsuch a site, users were subjected to a “drive-by” attack that requiredno action on their part to succeed.
Symantec was the first to report the IE bug to Microsoft after theantivirus vendor captured spam posing as hotel reservation notificationssent to select individuals within several organizations.
On Sunday, Roger Thompson, chief research officer of AVG Technologies,said that an exploit for the newest IE flaw had been added to theEleonore attack kit , one of several readily-available toolkits thatcriminals plant on hacked Web sites to hijack visiting machines, oftenusing browser-based attacks.
“This raises the stakes considerably, as it means that anyone can buythe kit for a few hundred bucks, and they have a working zero-day,” saidThompson in on his company’s blog.
Microsoft has promised to patch the vulnerability, but last week saidthat the threat didn’t warrant an “out-of-band” update, the company’sterm for a fix outside the usual monthly Patch Tuesday schedule.Microsoft will deliver three security updates Nov. 9, but won’t fix theIE bug then.
Thompson disagreed with Microsoft’s assessment.
“I think they’ll have to [do an out-of-band update],” Thompson said viainstant message on Sunday when asked to bet whether Microsoft willrelease an IE fix before Dec. 14, the next regularly-scheduled patchdate after Tuesday. “I expect attacks will accelerate.”
However, AVG — like Microsoft and Symantec — has so far seen only asmall number of attacks leveraging the vulnerability.
The exploit added to Eleonore may have been cadged from the Metasploitopen-source penetration testing kit. Last Thursday, researcher JoshuaDrake added an exploit module for the IE bug to Metasploit.
“We do see a lot of exploits essentially cut and pasted from Metasploit[proof-of-concepts],” said Thompson.
Microsoft has urged IE users to enable DEP, or data executionprevention, for IE7, use IE8 or IE9, or run one of its automated”Fix-it” tools to add a custom CSS template to their browsers asprotection until a patch is available.
The vulnerability is in IE’s browser engine’s parsing of HTML pages, andcan be exploited with a specially-crafted CSS (cascading style sheet)tag.
Microsoft’s security experts said that it was unlikely attackers couldsuccessfully exploit the flaw in IE8 because that browser automaticallyenables DEP, a defensive measure baked into Windows that’s designed tomake it impossible, or at least difficult, for hackers to reliablyexploit bugs.
Microsoft also suggested that users consider migrating to IE9, thestill-under-construction browser that was released as a public beta inmid-September.
But that route cannot be taken by users of IE6, the most vulnerableversion and the one apparently targeted by current attacks, becausethose people are almost certainly running the browser in Windows XP. IE9does not run in XP.
Rival browsers, such as Mozilla’s Firefox, Google’s Chrome, Apple’sSafari and Opera Software’s Opera, are not vulnerable to the malformedCSS tag attack.
According to the latest statistics from Web analytics company NetApplications, IE8 accounted for more than half of all copies of InternetExplorer used last month, while IE6 represented about a quarter of allMicrosoft browsers run in the same period.