[ISN] Redmond Mulls Emergency Patch for IE Attacks

From: InfoSec News (isn@private)
Date: Thu Dec 01 2005 - 22:14:10 PST


http://www.eweek.com/article2/0,1895,1894820,00.asp

By Ryan Naraine 
November 30, 2005 

Microsoft Corp. is working on a plan to release an out-of-cycle patch
to cover a gaping hole in its dominant Internet Explorer browser.

Sources say the MSRC (Microsoft Security Response Center) is
aggressively aiming to release the emergency IE fix ahead of the
December 13 Patch Tuesday schedule.

Officially, the company isn't commenting on a timeline for the IE
patch. A Microsoft spokeswoman said the creation of security updates
is "an extensive process involving a series of sequential steps."

"There are many factors that impact the length of time between the
discovery of a vulnerability and the release of a security update, and
every vulnerability presents its own unique challenges."

However, a source familiar with the company's thinking said the
out-of-cycle update is dependent on the patch holding up through a
"very rigorous" quality assurance testing process.

"If the patch isn't ready from a quality standpoint, it won't be
released. But with an attack already underway, I think you'll see an
emergency patch," the source said.

Microsoft late Tuesday updated its security advisory to confirm it was
aware of a zero-day exploit and a drive-by malware attack targeting
the unpatched vulnerability.

Alex Eckelberry, president of anti-spyware vendor Sunbelt Software,
said his company first detected the drive-by downloads earlier this
week and reported its findings to Microsoft.

"This is a pretty nasty exploit. You just have to visit the
[malicious] site and your computer gets hosed. It's dropping a Trojan
downloader that takes control of the victim's machine," Eckelberry
said in an interview.

Sunbelt Software researchers have confirmed the exploit is being
launched from a handful of malicious Web sites.
 
He said the drive-by exploit was successfully loading
pornography-themed spyware programs on fully patched Windows XP SP2
machines.

"If there's one time Microsoft needs to go out-of-cycle with a patch,
this is it," Eckelberry declared.

Stephen Toulouse, an MSRC program manager, said Microsoft's anti-virus
engine has been updated to detect the latest attack, which drops a
piece of malware called TrojanDownloader:Win32/Delf.DH.

Anti-virus vendor McAfee Inc. identified it as JS/Exploit-BO.gen and
confirmed it was using the zero-day "Window()" remote code execution
exploit released last week by a UK-based group called "Computer
Terrorism."

Eckelberry said that he was aware that Kaspersky Lab and Symantec
Corp. had updated its virus definitions to detect the latest attack.

In Microsoft's advisory, the company recommends that customers can
visit its new Windows Live Safety Center and use the "Complete Scan"  
option to check for and remove the malicious software and future
variants.

The Safety Center, which is part of the company's new 'Windows Live'
initiative, lets customers run free Web-based computer scans to detect
and remove viruses and other known malware.

It currently works only on IE and uses an ActiveX Control to scan for
and remove viruses. It is also capable of detecting vulnerabilities on
Internet connections.

Johannes Ullrich, chief research officer at the SANS ISC (Internet
Storm Center), said in a recent interview that the severity of the
vulnerability and the public release of exploit code should force
Microsoft into releasing an out-of-cycle update.

"This one certainly qualifies for an emergency patch. How much worse
can it get? At this stage, you really can't wait for next month to get
a fix out there," Ullrich said.

Since moving to a monthly release cycle in late 2003, Microsoft has
released three out-of-cycle patches, all for "critical" IE flaws.



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Thu Dec 01 2005 - 22:46:54 PST