TOPIC: IE Bug Can Be Exploited Via E-Mail
Just previewing a message could result in a computer hijacked by a bot or loaded with adware, spyware, or other malicious code, a researcher says.

By Gregg Keizer / TechWeb

Exploits against the unpatched vulnerability in Microsoft's Internet Explorer are increasing and attackers are gathering momentum, researchers said Thursday. They warned that the problem would become worse if cyber criminals attack via e-mail next. "It might come to nothing, but it feels like a storm's coming," said Roger Thompson, the chief technology officer at Exploit Prevention Labs. "The potential is there. Call it a storm watch, not a storm warning."
At least two different exploits have appeared this week, said Thompson, one linked to the Russian-made hacker exploit kit called WebAttacker, the other posted early Thursday on the xSec gray-hat vulnerability research site. That second exploit can launch remote code without using JavaScript, as did the original inserted in the WebAttacker kit; it's more dangerous for that reason. "The xSec exploit doesn't work as posted," said Thompson. "It only crashes the browser. But it looks like it would be easy to turn it into a working exploit."
Worse, the current attack vector -- malicious Web sites that infect only those who happen to view one of their pages -- may be replaced by a wide scale attack carried out by e-mail, said Ken Dunham, the director of iDefense's rapid response team. "The newest exploit works with e-mail," said Dunham. "We took the newest version of Outlook, all patched, and the exploit crashed it." With some help from iDefense researchers, however, the exploit was able to execute other code. That means e-mail clients that preview HTML messages using the IE rendering engine are at risk. Just previewing a message could result in a computer hijacked by a bot or loaded with adware, spyware, or other malicious code. "You would be attacked immediately, as soon as the preview is rendered," said Dunham.
Dunham's surer than Thompson that the VML vulnerability will soon explode. "It's imminent. I would not be surprised if a small number of e-mails were already being sent to companies or governments."
"It would be nice if Microsoft released a patch," he added. But there are no indications that Microsoft will break from its regular security update schedule, which is set to release fixes on October 12th, two-and-a-half weeks away. For Dunham, it wouldn't be a stretch to assume that slick, sophisticated cyber criminals will target specific organizations -- companies, universities, and government agencies -- with e-mail infections. "There are people out there with a military or state or political agenda. They have targets, and they've identified those targets. All they're doing is looking for a way to compromise those computers."
The motivation? One of the oldest in the book: Money. "There is a market in the underground for corporate or government secrets," said Dunham. "An attack [like this] could even threaten a country's national security."

Isn't it time we all switched from Internet Explorer to a more secure browser? Website authors should stop forcing us to use IE6 and get smart -- or they may be left in the dust cloud of vulnerabilities and malware. The root of the problem lies with Microsoft, though. They are to blame for the holes that plague Internet Explorer. Microsoft is the ONLY ONE that can fix the problem -- yet they constantly choose to put bandaids on a gaping wound. I don't want government interference in Internet matters, so maybe it's time large private sectors companies and public interest groups started putting TONS of pressure on Microsoft.
Personally, I use Firefox 99% of the time and Internet Explorer only on sites that require it. Even then, I send nastygrams to the webmaster telling them how shortsighted and insecure their websites are for forcing IE use. THINK it over and then ACT folks. It's high time Microsoft's feet was held to the fire.