back to article Microsoft issues emergency IE patch as attacks escalate

Microsoft has issued a rare emergency update for its Internet Explorer browser as miscreants stepped up attacks targeting a vulnerability on hundreds of thousands of webpages. In many cases, the websites distributing the toxic payload are legitimate destinations that have been commandeered, allowing an attacker to snare …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Dead Vulture

    Computing for dummies?

    So we should update then?? A direct link to the patches would be nice (http://www.microsoft.com/technet/security/bulletin/MS08-078.mspx) instead of telling IT professionals how to use Windows update.

  2. Adrian Midgley

    Web hosts?

    What software are the sites holding the attack code hosted on?

    And how did they get commandeered?

  3. vincent himpe

    question is

    how did all those sites get the payload installer in the first place ...

    Happily using Opera with java and flash turned OFF.

    the phishers can phuck off

  4. Moss Icely Spaceport
    Alert

    It never ceases to amaze me..

    ....just how badly the popular media report and mis-report on technology issues like this.

    Why are media outlets so fecking clue-less when it comes to the net and computers in general?

  5. Spencer Davies

    With IE Being The Industry Standard Browser,Whats New

    I don't touch IE since it went to 7..loved 6.

    Now on Opera..Best and most secure out there in my opinion.

    If a hacker can get past a normal linksys firewall, a sega dreamcast turned into a firewall, nod32 firewall and windows firewall then they are damn good!.

  6. Dan Goodin (Written by Reg staff)

    @Matt Ashworth

    Good point. Story updated. Thanks for the suggestion.

  7. Jeremy
    Flame

    Happily using Opera

    Happily using Opera are you? Except for all those apps that use an embedded IE-based WebBrowser control, huh?

    Anyway, tell me this, MS, why when I haven't used IE since my last reboot, do I have to restart my computer to install. None of it's libraries should be loaded. Message to Microsoft: Get your damn dirty browser out of the OS!

  8. Emo
    Alert

    Just Googled it

    and ardoshanghai.com/s.js appears on 279,000 sites!

  9. BioTube

    This is why I use

    Konqueror. That and IE don't run well on Linux. Hell, most malware doesn't even start under Wine.

  10. Henry Wertz Gold badge

    Opera, reboots

    "Happily using Opera are you? Except for all those apps that use an embedded IE-based WebBrowser control, huh?"

    Interestingly it's possible to get rid of this -- wine actually handles several forms of embedding ie, embedding a firefox/mozilla rendering engine instead. It'd be nice to be able to take this and plug it into Windows somehow.

    "Anyway, tell me this, MS, why when I haven't used IE since my last reboot, do I have to restart my computer to install. None of it's libraries should be loaded. Message to Microsoft: Get your damn dirty browser out of the OS!"

    The short of it, because Microsoft does not have package management. This really causes a lot of problems for them IMHO.

  11. Michael Xion

    @emo

    ..Is it me or are just about all the sites that quote that code in Korean?

  12. Anonymous Coward
    Anonymous Coward

    As you know its gonna happen ...

    ... and the "don't use microsoft its crap" will start and everyone will happy proclaim that they use firefox i feel a link to another reg article is needed to stave off this onslaught

    http://www.theregister.co.uk/2008/12/17/mozilla_3_0_5_and_2_0_0_1_9_updates/

    just to preempt them (btw yes it does allow code execution and this one with no input from the user as well!)

  13. Anonymous Coward
    Unhappy

    Time to ditch IE ....

    Well, I would update IE but I really, really don't want to install WGA as well. Time to ditch IE completely methinks ....

  14. Jach
    Linux

    Nasty little browser...

    I'm glad I'm free of all of it with Linux. You have to hand it to M$ though for fixing it in such a timely manner.

  15. Anonymous Coward
    Anonymous Coward

    Influence

    I wonder how much influence the announcements over the last few days in the national news that users should change to a different browser had on Microsoft in rushing out the patch?

  16. Anonymous Coward
    Anonymous Coward

    @Spencer Davies

    First golden rule of security Spencer, is not to disclose details of your security architecture.

    Hackers will use any snippet of information they can to identify ways to attack your system.

    I notice that you have all these firewalls, but you seemingly have them configured in the most basic of configurations, if a hacker can get through one firewall, he'll get through the second in your archicture, if he really thinks your system is worth hacking and might have something he wants.

    I'd suggest you look at other firewall architectures, in particular using DMZs.

    Hackers don't tend to care much about bravado.

  17. Anonymous Coward
    Linux

    @Henry

    IE was integrated deep into the OS so that it could not be removed, this made it less likely that another browser would be installed. So when IE updates it is really your OS getting updated.

    Even on Linux it seems you need to reboot after every third update (give or take). I am a Linux newb and maybe it is possible to stop/start strategic services, but the only option given to me is "Reboot". It's not big deal though.

    ps FireFox with the usual add-ons, just gone to 3.0.5.

  18. Ken Hagan Gold badge
    Flame

    Re: Web hosts?

    "The *real* question is why the various self-appointed censors of the internet don't automatically blacklist a site that "requires IE" rather than using W3C standards."

    On reflection, that's unfair on MS. In the spirit of fairness, I'd like to extend my suggestion to any site that uses the user-agent string for any purpose. Happily, this change also makes it easier to compile the blacklist.

  19. Ken Hagan Gold badge
    Flame

    Re: Web hosts?

    "What software are the sites holding the attack code hosted on? And how did they get commandeered?"

    They're probably sites that "are best viewed using Internet Explorer". Perhaps they even offer a link to the IE download page. Let's face it, such sites are managed by idiots, so it is hardly surprising that they've been hijacked by malware.

    The *real* question is why the various self-appointed censors of the internet don't automatically blacklist a site that "requires IE" rather than using W3C standards. Surely there's a correlation. If I were farming out malware, I'd probably *deliberately* put in some code that requires IE, just to encourage folks to use the preferred vector ^H^H^H browser.

  20. Daniel Jones
    Linux

    @Michael Xion

    Yep, and pick 'pages from the UK' in google and you get.....

    A link to this article. And that's it. I'm not saying we're immune (happily using Firefox w/NoScript add-on installed here) as this isn't the only filename, though.

    I only use IE when I /absolutely/ have to. And I complain bitterly when companies force me to use IE. (Saying your company has standardized on Firefox (which mine has) and that you'll be on the lookout for another supplier which doesn't force you to use IE generally gets some attention)

  21. TeeCee Gold badge
    Gates Horns

    @Jeremy

    Rather than it being down to IE being part of the OS, it's more likely to be WFP / dllcache at work here.

    One or more of the DLLs being patched will be flagged as protected by WFP and the reboot's required to move in the new DLL version and refresh the copy in dllcache.

    Swings and roundabouts. On one hand, it should be perfectly possible to build WFP or similar in such a way that dllcache sekkuritty* backup copies can be changed outside boot time. On the other this is MS, so if they provided such a mechanism it'd almost certainly be possible to exploit it remotely, blowing away the last figleaf from XP's insecure dangly bits. On the third hand (thanks Zaphod) the reboot requirements foisted on us by WFP are a disincentive to patch.......

    *i.e. A bit like "security" but not close enough to the real thing to be useful.

  22. MacroRodent
    Unhappy

    HTML mail danger?

    Jeremy: "Happily using Opera are you? Except for all those apps that use an embedded IE-based WebBrowser control, huh?"

    Doesn't this mean a HTML-formatted spam can carry the infection if opened in Outlook? If so, I wonder why this form of attack has not been reported. Maybe there is something making it infeasible?

    (It could hit even me. At work I'm forced to use Outlook 2002 (gack!), and althought the company has spam filters, some of it trickles through, and sometimes I open a spam message by mistake, typically because Outlook sometimes forgets that I don't want preview panes...).

  23. Anonymous Coward
    Anonymous Coward

    @Moss Icely Spaceport

    It's not just the net/computers... try space, nuclear energy, physics, astronomy, motorcycles, or just about anything technical. I've seen stuff mutated literally almost past recognition.

    "Getting the story right" just isn't a concern for most news "journalists" so as a result I consider 99% of it to be purest bullshit. That's why I come to places like El Reg, who mostly get it right.

  24. Anonymous Coward
    Anonymous Coward

    Firefox updated too!

    That is all.

  25. Andy Worth

    Patch now!

    Or just stop using Internet Explorer entirely......

  26. Roger Barrett

    tried looking at Empire with Firefox

    Used Firefox last night and tried looking at Empireonline.com and its been blocked by my phising filter, is this the same problem?

  27. Spencer Davies

    Re @Spencer Davies

    Ive been running the same setup for just over 6 years now and had no particular threats..only threat i have is configuring my dreamcast to accept xbox live which is a pain.

    My parents machine downstairs is probably the most likely to get hacked as he goes off a different broadband connection all together and he just uses a plain firewall (Windows to my dismay)

    Anyway back to main subject.

    I believe you cant stop using IE all together because if i remember correct, Its intergrated into the shell..Internet Explorer, Windows Explorer, etc.

  28. Tim Jenkins
    Flame

    Re: Web hosts?

    A quick Googl$ for the ardoshanghai.com/s.js string appears to show the majority of sites hosting that particular form of the hostile code for this exploit serving .asp?*** or .aspx?*** urls. I'm guessing this indicates they are serving from IIS of some description, which would probably indicate compromise through unpatched holes there (or automated SQL injection, perhaps).

    Could it be that Korean domains dominate because as I understand it the current trojan delivered through this hole is installing game password stealers, and those .kr peeps are probably the most lucrative market for 'hot' virtual property?

    Flames because quite a lot of people are going to be burned by this one over the holiday season...

  29. Albert Stienstra

    @Henry Wertz, packages

    But Windows does have package management, check %WINDIR%\servicing\Packages

  30. EJ
    Thumb Up

    Details = good

    Kudos to El Reg for giving particulars on the script name and sites hosting the script - many other IT 'news' sites fail to give us those basics. Any chance of getting at least a partial list of the other sites, or perhaps a link to where the info may be posted?

  31. Dan Goodin (Written by Reg staff)

    @Details = good

    EJ,

    Thanks for the kind words. I've updated the article to include the following paragraph:

    Attack strings in separate SQL injections include 17gamo.com/1.js. Researchers say the number of attack sites is too high to keep exhaustive lists, but Shadowserver is doing an admirable job here (http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210)

    Someone else asked what platforms the hacked sites were running on. That information wasn't available, but in general SQL injections attack web applications that fail to sanitize user input rather than the underlying database. Many of the SQL injections in the past worked on a variety of database programs. (See http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/ and http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/)

    Cheers,

    Dang

  32. Anonymous Coward
    Flame

    You can set your watch to it

    The minute a patch for Windows/IE comes out, there will be someone within 30 minutes trumpeting what OS/browser THEY prefer/are running.

    "Wow - I'm so glad that person X on The Reg forums is using Opera! I should run Opera, too, because person X is just so in-the-know!"

    Come on, guys/gals - the comments section would be a bit more relevant if the rest of us didn't have to wade through gratuitous postings about what makes you so technically beyond the ~90% of the rest of the web. We get it already.

  33. Homard
    Coat

    The Really Scary Bit ......

    .... is how if you're just running as a normal user, and not with admin rights you can get a keyboard scanner installed on what is effectively a browse-by download. I'm by no means an expert, nor for that matter a particularly good programmer, but the only way I can see to do this is to map onto the keyboard I/O memory address range, and then poll the memory space (so you don't register the interrupt) to read the scancodes. On a secure system the kernel should tightly control access to this area of memory to those with admin rights. Even if the program is downloaded, how is it allowed to run ?

    Am I missing something, or does everyone use windows with admin rights ?

    I'll get me coat cos it'll give my back some heat protection from the uber programmers glaring at me for my utter lack of knowledge.

  34. Moss Icely Spaceport
    Alert

    @AC - Thursday 18th December 2008 07:15

    I agree with you!

    I've seen newspapers and TV get some of the most famous news images wrong on quite a few occasions.

    - The classic image of Buzz Aldrin standing on the moon - said by some media outlets to be Neil Armstrong!

    - The even more classic image of Tenzing Norgay Sherpa standing on Mt Everest's summit - said to be Sir Ed Hillary!

    If you can't see their faces, even more reason to check your facts!

    </rant>

    I also agree that the Reg is not included in the above criticism.

  35. Bob
    Gates Horns

    Re: Web hosts

    If Korean hosts are being targetted it could be because 99.9% of Koreans use Internet Explorer and rely on ActiveX for secure transactions. That's a good market, plus they do like their virtual stuff. The government bought into a monopoly, didn't wait for SSL encryption, and are only just digging their way out, but none too quickly.

    http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s#003095

    http://www.koreatimes.co.kr/www/news/biz/2008/11/123_34713.html

This topic is closed for new posts.

Other stories you might like