back to article Windows users ambushed by attack on fresh IE flaw

Thousands of websites have been hit by fast-moving exploit code that installs a cocktail of nasty malware on visitors' computers by targeting a previously unknown vulnerability in some versions of Internet Explorer. The compromised websites link to a series of servers that exploit a zero-day vulnerability in an IE component …

COMMENTS

This topic is closed for new posts.
  1. KarlTh

    Easy way to mitigate this one...

    ...as always.

    "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user,"

    So don't run with unnecessary rights, just like you wouldn't on any other OS.

  2. Anonymous Coward
    Thumb Down

    now they use cocktails!

    There are so many vulnerabilities available to the hackers nowadays, I guess it's less work for them if they just combine them into a "cocktail" that sprays you with several at one time. And all through a JPG picture, lovely. My ruling on Windows as my main OS? http://www.theregister.co.uk/Design/graphics/icons/comment/thumb_down_32.png

  3. Anonymous Coward
    Linux

    Um ...

    "What isn't in dispute is that IE 7 on Vista is not vulnerable"

    I dispute your claim.

    FTFA:

    "However, on IE7 which is default on Windows Vista systems, risky ActiveX objects are blocked by default which may mitigate this 0-day attack."

    So Vista with default settings _may_ mitigate this attack. And how many Vista users are in the habit of reducing its "security" for the sake of usability? Many, many users.

  4. Alex 3
    Paris Hilton

    Journal speako

    Yes they are "ambushed" - of course they are...

  5. John Savard

    Lucky me

    I don't usually surf to the web sites of schools and community centers in China. Of course, that's no guarantee, since better targets may well be hit by the drive-by attack soon enough, but it's a good thing they're off to a slow start.

  6. zonky
    Go

    It's actually pretty easy to 'patch' around this issue

    Microsoft even produce a msi to do it for you so you don't need to self-edit the registry.

    Not really sure why they don't advertise this ?

    http://support.microsoft.com/kb/240797

  7. Anonymous Coward
    Flame

    Rhetorical Question at end

    From the article :- "making changes to the Windows registry, a risky undertaking"

    Don't MS provide a built in convenient gui tool to make this risk free (as windows zealots constantly remind us, using gui tools to do admin or any task eliminates making mistakes)

    Isn't the registry just one big config file and editing the registry config file one of the main effective methods of low level windows administration?

    Flaming Tux icon please.

  8. Anonymous Coward
    Happy

    Be smarter

    Some advice to those still living in 2000:

    1) Install Mozilla Firefox browser

    2) Install AdBlock add-on to get rid of all pesky ads (blocks ad servers)

    3) Install NoScript add-on to get rid of XSS and JS attacks (blocks JS except for whitelisted sites)

    It's that simple to eliminate most ad, tracking and malware attempts.

    Enjoy!

  9. DGittins

    there's a "Fixit" solution available

    In the KB article (linked from the advisory), there's a "Fixit" solution that does the work of the registry edit. It's an MSI executable that turns off the function in IE.

    http://support.microsoft.com/kb/972890

  10. derek anderson
    Gates Horns

    And yet to read this warning....

    Wouldn't it be better if you lead by example and have a front page that will load if the user has blocked mobile code, adverts and cookies on their machine via their firewall?

    As it stands to read your warning not to allow dangerous behaviour you have to allow dangerous behaviour. ?? :-/ ??

    The inbuilt vulnerabilities of IE are only part of the problem. The other part being the websites that demand the dodgy functions be enabled to display correctly.

    Let's have a code of best practice on the part of site designers to lead by example.

    As it stands the concept of "YOU ARE IN DANGER OF BEING BUTTHURT - kindly lower your trousers and turn around so we can tell you about it" seems to be adding to the problem of these zero days to me.

    I am aware of firefox - the same sadly cannot be said for my banks website. And yes this is another bone of contention. ;-P

    Satanswombat

  11. Anonymous Coward
    Pirate

    And in other news...

    So Microsoft have found another "flaw" in Windows that can only be avoided by ugrading to the latest version; there is, of course, a workround for older Windows versions but it won't stop the Criminals for long - the only sure way to beat the bad guys is to "up" grade to Vista.

    And lookit, another helpful Registry "fix" that will turn off the unwanted behaviour without the User needing to do more than run yet another Microsoft Registry hac^H^H^H Installer/editor. But I can't help wondering what other little "unexpected" issues may be caused when this one's loaded...

  12. Anonymous Coward
    Happy

    Be even smarter

    Some advice to those still living in 2000:

    1) Switch to OS X

    Enjoy!

  13. Anonymous Coward
    Unhappy

    @Zonky

    "Not really sure why they don't advertise this ?"

    Er, because they're trying to scare people into buying Vista/Windows 7, by any chance?

  14. Anonymous Coward
    Anonymous Coward

    re: Rhetorical Question at the end

    "Isn't the registry just one big config file and editing the registry config file one of the main effective methods of low level windows administration?"

    Isn't the registry just one big steaming pile of ineptitude and editing the registry config file one of the main effective methods of low level windows borking?

    There, fixed that for ya :D

  15. foo_bar_baz
    Boffin

    The registry

    Is not one file.

  16. Anonymous Coward
    Gates Horns

    @And in other news... #

    New thing better and has more features than old thing shocker!

    I agree, how terrible of Microsoft to design and produce a new product that might have more features and a better design that the old one!

    Would you expect a car manufacturer to retro-fit better locks to your car five years after you bought it because someone worked out how to pick the old ones?

  17. Psymon
    Stop

    Not a problem for my network.

    ActiveX components are restricted to only trusted zones.

    Ergo, unless I add the URL to my list of trusted sites in group policy, it doesn't run activeX..

    I also have similar lists for flash, java, javascript. All other plugins are blocked from being run, and no user can download executables from outside our network.

    It's so secure the last nasty our AV software picked up was the blaster worm which someone brought inside our firewall on an infected laptop.

    Any sys admin worth his salt will have similar measures in place. It's so secure when set up in this fashion, it makes other uncontrollable browsers such as firefox look so insecure they may as well be a virus, hence they are banned.

  18. Ken Hagan Gold badge

    The "FixIT" solution...

    ...surely ought to be on Windows Update.

    We have a remote code execution exploit, apparently in general circulation, that can be blocked with an already-available MSI, and the blocked control isn't used by-design in the core OS so it would be relatively low impact. (In any case, the controls could easily be unblocked once fixed.)

    What are they waiting for?

  19. Rob Beard
    Coat

    Well us some of us Europeans will be okay soon

    Some of us Europeans will be okay soon as when Windows 7 ships we won't have IE. :-)

    Mine's the one with the Ubuntu CD in the pocket.

  20. Anonymous Coward
    Pint

    Is this exploit..

    ,, The smitfraud old thing that hijacks your DNS address and then redirects you?

    I've had a load of people reporting this in the last few days

    DNS is changed to 85.255.112.136

    Just wondering

    Paul

  21. Rod MacLean
    WTF?

    "Pea and ham? From a chicken? Now that's clever"

    "The site includes a JPG file that exploits a variety of vulnerabilities, "including an unprecedented stack overflow in DirectShow MPEG2TuneRequest,"

    So, this image file somehow creates a stack overflow in music related code?

  22. Anonymous Coward
    Anonymous Coward

    RE: The registry

    Foo_bar_baz wrote: "Is not one file".

    OK, so if the registry isn't one file, what are the names of the files that the registry comprises of?

    I'm only asking because registry editors (regedit) show ALL registry entries in one go. Does Windows load it all into memory (and does it keep it there?)

  23. Grease Monkey Silver badge

    @ AC - Be Smarter

    FFS do you not realise that the majority of internet users expect their computer to work like their TV or indeed washing machine? They press buttons, stuff happens. They don't want to be botherd with installing a new browser and plugins and then messing around whitelisting sites.

    Unfortunately FF seems to be just as prone to vulberablities as IE, and relying on plugins to protect their reputation is hardly good practice.

  24. Anonymous Coward
    Pint

    re: Be even smarter

    Id rather set myself on fire than use OSX thanks, not everyone wants style over substance

    also this little munchkin of a virus does appear on vista, it also dies pretty quickly when you use the appropriate tools (http://www.malwarebytes.org)

  25. This post has been deleted by its author

  26. Lozzyho
    Alert

    @AC

    The registry is split into user files (1 per user = HKEY_LOCAL_USER/HKEY_USERS) and machine files (HKEY_LOCAL_MACHINE and HKEY_CURRENT_CONFIG etc).

    And as for ActiveX objects being enabled by "many many users" then I'd suggest only crazy people would. IE lets you enable such things by zone, so many might enable them for Intranet sites or Trusted sites, but not for Internet. Anyone sufficiently savvy to get that far would SURELY know not to enable ActiveX objects for then Internet zone.

    As for installing OSX, does Safari have NO vunlnerabilities?! Are you sure?

    Interesting how people still manage to try to slag off Vista when it's the one NOT affected.

  27. Geoff Mackenzie

    Some responses...

    "FF seems to be just as prone to vulberablities [sic] as IE" - Er, no, actually it isn't. Step 1 (install Firefox) would improve users' security significantly; it's just that the other steps would harden the browser a little more. Remember, IE has a (limp) hardened mode as well.

    "Would you expect a car manufacturer to retro-fit better locks to your car five years after you bought it because someone worked out how to pick the old ones?" - No, but if they sold me a car with a fault that left it with a serious security hole, I would hold them somewhat accountable for that and would appreciate a fix. Would you expect to be forced to buy a new car every couple of years because the manufacturer stopped supporting the old model as soon as there was a new one (even if that new one was expensive, unreliable and fugly), and refused to allow anyone else to maintain it?

    "So don't run with unnecessary rights, just like you wouldn't on any other OS." - while this is true, it's worth bearing in mind that necessary rights for a local user are generally going to be enough to screw with all of their files. Advising people to use unprivileged accounts for normal users doesn't excuse producing pathologically insecure applications.

  28. Bernie 2
    Thumb Down

    another Re: Be smarter

    Yeah NoScript is a great add-on, if you want to b0rk the web and spend the rest of your life white-listing stuff to fix it again.

    It's like an over zealous firewall asking you to confirm or deny every little thing.

    Lots of hassle, no real protection.

  29. Anonymous Coward
    Anonymous Coward

    @AC 09:56

    The files are:

    %SystemRoot%\System32\Config\SAM

    %SystemRoot%\System32\Config\SECURITY

    %SystemRoot%\System32\Config\SOFTWARE

    %SystemRoot%\System32\Config\SYSTEM

    %SystemRoot%\System32\Config\.DEFAULT

    And the users' personal settings are in ntuser.dat, which is part of the roaming profile.

    On w2k there are .ALT versions of the registry files which store a duplicate, in case of corruption. In w2k3 and above the individual databases are transaction logged so can be rebuilt if a corruption is detected.

    As far as I know the files are not operated from memory, but are locked for exclusive access for the whole time that the OS is up. I'm not 100% sure, but they are probably jet databases or some derivitive thereof.

  30. Gareth.
    Linux

    RE: Anonymous Coward @ 7th July 2009 08:36 GMT

    You said, "Would you expect a car manufacturer to retro-fit better locks to your car five years after you bought it because someone worked out how to pick the old ones?"

    I say, "Would you not expect a car manufacturer to issue a recall if an old model was found to be inherently defective or would you be happy for them to tell you that you need to buy a new model?"

    Actually I do kinda agree with what you're saying... there's no reason why MS shouldn't provide better products and charge for them accordingly - provided they also fix security issues with the older products and don't just use that as an excuse to force people to upgrade.

    Contrary to the person you replied to, I think that MS will eventually provide a hotfix for this issue - their workaround is just a temporary fix until it's been tested. I don't think they would honestly expect to get away with leaving this unfixed on supported OSes such as XP.

    I'm not sure, however, how long it will take them to do it. Whilst he was still at the helm, Gates seemed to have been pushing through changes to decrease the Vulnerability Window by making security fixes available sooner. But since he stepped down, there generally seems to be less priority placed on getting the hotfixes out quickly (with the exception of the 2 out-of-band patches released earlier this year).

    Tux - because I wish I could download the source code and build my own car for free like I do with Linux.

  31. Anonymous Coward
    Flame

    Re: re: Be even smarter

    "Id rather set myself on fire than use OSX thanks, not everyone wants style over substance"

    ...and in this instance I'd rather let you. Got the crumpets and muffins ready - over to you.

  32. Anonymous Coward
    Boffin

    RE: The registry

    Someone else will probably beat me to it, but the files I know of that comprise the registry are:

    %SYSTEMROOT%\System32\config\system, loaded into HKEY_CURRENT_CONFIG and HKEY_LOCAL_MACHINE\System

    %SYSTEMROOT%\System32\config\security, loaded into HKEY_LOCAL_MACHINE\Security

    %SYSTEMROOT%\System32\config\software, loaded into HKEY_LOCAL_MACHINE\Software

    %USERPROFILE%\NTUSER.DAT - one per user, loaded into HKEY_CURRENT_USER and HKEY_USERS/<UserSID> when the user logs on

    %USERPROFILE%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - one per user, loaded into HKEY_USERS/<UserSID_Classes> when the user logs on

    There are also 3 "system users" that have hives that are always loaded:

    LocalService, loaded into HKEY_USERS/S-1-5-19 and HKEY_USERS/S-1-5-19_Classes

    NetworkService, loaded into HKEY_USERS/S-1-5-20 and HKEY_USERS/S-1-5-20_Classes

    .DEFAULT, stored in %SYSTEMROOT%\System32\config\default and loaded into HKEY_USERS/.DEFAULT

    FYI, HKEY_LOCAL_MACHINE\HARDWARE is a "volitile" key in that it is built by the kernel during startup, it isn't stored in a file.

    This has been a public service announcement by your friendly neighborhood system deployment specialist. We return you now to your regularly scheduled flame war.

  33. Anonymous Coward
    Boffin

    RE: The registry

    And of course I forgot %SYSTEMROOT%\system32\config\SAM, loaded into HKEY_LOCAL_MACHINE\SAM

  34. Rabbi
    Go

    Group Policy Fix

    I remember having to work hard the first time to set up a method of setting killbits with group policy. Then I found the following article:

    http://msinfluentials.com/blogs/jesper/archive/2006/09/29/Set-KillBit-on-Arbitrary-ActiveX-Controls-with-Group-Policy.aspx

    As soon as I had the CLASSID, it took 5 minutes to add it to group policy and protect 100+ computers.

    I just hope this helps anyone else wondering how to deal with it!

  35. Dave 142

    Fix

    Messing with the registry is really easy. if you want to delete this virus just delete the whole registry and restart, that'll work fine.

  36. Anonymous Coward
    Pint

    @ AC - 10:19 GMT

    "Id rather set myself on fire than use OSX thanks, not everyone wants style over substance"

    Yeah - i always love weenie roasts! I got my beer! Start-her up!

  37. Anonymous Coward
    Terminator

    *sigh*

    This is *really* getting bothersome now.

    Wish the d__n malware coders will be terminated.

    The days when you didn't need a firewall or have to worry about wonky sites is long past now.

  38. Stevie

    But...

    Firefox makes all websites look so damned ugly. Used it last week when at a different site. Awful experience. Popups every two seconds asking "Did you really want to..." and Gad! That spellchecker!

    Week before that it was Mozilla, a browser so clever that when you set the first tab to magnify text by (say) 125%, every tab you open in that same browser window will need to be told to magnify 125% because, gosh, it's not like you might have poor eyesight or be working on a fsking Unix X window lashup with piss-poor resolution adjusting tools and might expect the bloody browser res to inherit, is it?

    Stopped using Opera yonks ago due to the way it behaved when it found deprecated tags. Memo to Opera developers: When there are two distinct schools of thought on how to do stuff, it's worth thinking twice before becoming the one and only proponent of option "B".

    Speaking as someone who does use IE, it would be nice if the baying hounds would take a leaf from my book and stop yowling for me to use whatever they think is the bees knees. I mean, it isn't that long ago we were witnessing the authors of the two Firefox plug-in's mentioned above slagging each other off in public and writing code at each other in secret. *There's* a technology I'd buy into in a heartbeat (if the alternative were a hot poker in the hurty bits). If you don't want I.E. users accessing your websites, just tell them so and eat the consequences.

    I noticed a while back that a certain UK webstore was popping up a little political screed urging a non I.E. browser be installed before I had the privilege of viewing their wares. I did the obvious: bought from somewhere else and wrote to the webmaster saying what I'd done and why. The message is, curiously, not displayed any more upon loading their front page but the website still runs like a dog because of the heavy payload it attempts to force down the pipe in the quest for Teh Awsum. (Research suggsts the browsing experience is no better with the Golden Browsers either, for what it's worth).

    Yes it's inconvenient that yet another hole has been found in some dimwit active X control. Yes, the problem targets Windows and IE, because those are the majority choice in the marketplace, for whatever reason. No doubt when Firefox has swept all other browsers before it into the mists of oblivion, people will start writing more attack code for it. I look forward to the day when the clear technical advantages and ease of use of the product, coupled with a virtually effortless installation and configuration that my 80 year old parents can manage, make this the browser of choice. Of course, by then everyone will be using Chrome.

    I'd say nice things about OS X but, well, it's OS X.

  39. Homard
    Pint

    Yet Again Someone Has Done Some Homework

    And found an exploitable weakness. Today m$ IE (that I detest) but tomorrow something else. The malware writers are in it for the money, and should not be underestimated.

    However, if they put their skills to improving things for mankind, I'm sure they could achieve an awesome amount. However climate prediction and script kiddies would be like monkeys and typewriters ..... But the really gifted guys ?

    Crying shame really.

    I need a pint, just like Inspector Morse ... nice bit of the country in summer BTW.

  40. mfraz
    Flame

    Use Windows...

    And don't blame me if you hackers keep finding all those holes in your OS and browser.

This topic is closed for new posts.

Other stories you might like