News

Hackers Targeting IE7 After Security Patch Issued

• By Jabulani Leffall
• February 18, 2009

On Tuesday, software security firm Trend Micro said hackers are targeting a hole in Internet Explorer 7 that was addressed in Microsoft's February security patch issued last week.

The attack is carried out using a malicious Microsoft Word .doc file packing an ActiveX object. It directs users' browsers to a Web site containing malicious HTML code. Microsoft's MS09-002 security bulletin, part of the patch released last week, would at this point protect IE7 users against the malicious HTML code, provided that the patch was applied.

The vulnerability stems from the way in which IE handles deleted cookies, data and Web pages, causing an error that enables hackers to run a remote code execution exploit. Microsoft lately has had its hands full in patching older IE versions. This exploit appears less than two months after Redmond issued an off-cycle patch fixing vulnerabilities in the popular browser.

Security experts, including Trend Micro's Jake Soriano and nCircle's Andrew Storms, say it is important to install the previously released patch now. They add that this smaller targeted exploit may be the first of many such attacks given that IE7 is used by more than 25 percent of all Web surfers. The malware authors in this case are targeting the downtime between patch installations as the interval for attack.

"This exploit code is not good news for enterprises," Storms said. "Not even a week has gone by since Patch Tuesday and we already have in-the-wild exploit code. This along with the wildfire spread of the Conficker worm is a perfect example of how long it takes enterprises to deploy patches."

In the past, security researchers have facetiously referred to the day after a patch release as "Exploit Wednesday." However, the idea that hackers are looking at patches, finding weaknesses and creating exploits is being taken more and more seriously.

Qualys pulled data on response time to IE patch releases, finding that IE patches were sometimes treated with less urgency than patches for other applications.

With the uptick of browser-borne exploits, Microsoft might want to adjust the patching cycle for IE, according to Wolfgang Kandek, Qualys' chief technology officer. Kandek suggested that a daily automatic update check for Internet Explorer would be beneficial for its millions of users.

"[Redmond] should enable fast patching for IE in a way similar to other browser vendors, such as Google's Chrome and Mozilla's Firefox, which require little or no interaction from the user. IE8 could be a great opportunity to investigate such a capability," Kandek said.

With such a procedure, both security administrators and Web application developers could close the gap on hackers and decrease the time they have to turn patches inside out. Such a plan would probably help stave off future exploits.

SANS Institute security researcher Bojan Zdrnja believes that in this case, hackers waited for the patch and then picked it apart by reverse engineering the code and finding a weakness.

"The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document," Zdrnja wrote in his blog on the Internet Storm Center's Web site. "That being said, there is absolutely nothing preventing attackers from using the exploit in a drive-by attack and we can, unfortunately, expect that this will happen very soon."

Because Exploit Wednesday seems to more common these days, nCircle's Andrew Storms suggests that IT pros establish enterprise-specific fail-safe programs for the time between patch rollout and installation.

"If your security team can't speed up your patch deployment process, then it's time to start thinking about other ways to help mitigate the risk," he said.