webinars



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

22 September 2006

Internet Explorer zero-day exploit less toxic than feared

Eleanor Dallaway

The IE exploit that has drawn so much press attention this week is unlikely to impact enterprise IT. Russ Cooper, senior analyst at security firm Cybertrust, said "IT security managers need not be worried by this. Alerted, yes, but as long as they are practising good internet hygiene, this problem should not affect them”.

Earlier this week, a previously undocumented flaw in Microsoft’s IE web browser was discovered by Sunbelt Software, and verified by Microsoft. It was reported that a critical, unpatched security hole in the way that IE 6 handles VML (a XML web programming language used to create scalable images) is the cause of the vulnerability. The flaw is allowing hackers to install malicious spyware, adware, VXGame Trojan, and spybot war, from rigged websites, onto any computer with IE 6 or before, which simply enters the wrong site.

Surf responsibly

At present, only a handful of sites are exploiting the vulnerability, all of which are either pornographic or otherwise “illegitimate”, said Cooper. This, explains Cooper, is why the flaw should be insignificant to businesses: “It’s negligible. It’s a flaw, yes of course, however the exploits are only affecting those visiting malicious websites. To those that surf responsibly and in good practice, it’s insignificant”.

There are no statistics suggesting how many computers have been compromised, but Cooper believes the number to be low, justifying Microsoft’s decision to wait until the original date of 10 October to release a patch.


Eric Sites, Sunbelt’s vice president for software, however, warns that exploits may spread to legitimate but poorly formed business websites which hackers can manipulate: “So far it is not spreading very fast, but we expect that in a week it will be everywhere. I think this will be a large problem for businesses and companies of any size”.

According to Gunter Ollmann, director of Internet Security Systems’ X-Force research lab, threats are already increasing dramatically, “We’ve seen a three times increase in the number of sites using the exploit [this week]”.

Same old, same old?

The appearance of a new exploitable flaw shortly after Microsoft’s monthly patch release looks like a recurring pattern. A similar attack on an unpatched IE flaw occurred at the beginning of this year. When asked whether this is the result of Microsoft being lax as yet another critical security problem has been found in their code however, Cooper replied: “Lax? No! But yes, they are at fault. They made this software and it is flawed. Perhaps they should have done more to protect against this, on the other hand though, all software has the chance of vulnerabilities”.

Cooper dismissed the advice released in many news articles to switch internet browser, warning that internet browsers should not be viewed as a security tool: "Firefox isn’t without its faults. Internet Explorer has certainly had its problems, but that’s because everybody uses it, so of course criminal hackers will target it. If we all start using Mozilla Firefox, then they will target that. They’ll go where the money is. As people switch, the target switches. Anyway”, he insisted, “if you are using the internet responsibly, you won’t be affected”.

So, who is this threat coming from, in terms of hackers intent on installing malware? “The same criminals who are spreading viruses on a day to day basis, those who constantly infect vulnerable systems. This isn’t hacking for fun, this is criminal activity in order to get cash. It’s serious’, said Cooper.

Dangerous zero day after all?

Not everyone agrees that the threat is minimal. Secunia, provider of vulnerability intelligence, has given the issue a highly serious rating, warning that the threat is dangerous to all IE users. Ken Dunhanm, director of the rapid response team at VeriSign’s idefense, is also fearful: “this new zero-day attack is trivial to reproduce and has great potential for widespread web-based attacks in the near future”.

There was one piece of advice which Cooper insisted was indispensable, whether you choose to believe the media hype or remain skeptical about the actual damage that this flaw can cause. “Patching is not always a solution. Common sense, good internet practice and reminders of the importance of careful surfing will ensure that patching is not needed. It is a last resort, not the ultimate prevention or solution”.

Back to news index



 

 
Search this Site:
Google Custom Search



Click here...