Microsoft has issued a rare emergency update for its Internet Explorer browser as miscreants stepped up attacks targeting a vulnerability on hundreds of thousands of webpages. In many cases, the websites distributing the toxic payload are legitimate destinations that have been commandeered, allowing an attacker to snare victims …
Computing for dummies?
So we should update then?? A direct link to the patches would be nice (http://www.microsoft.com/technet/security/bulletin/MS08-078.mspx) instead of telling IT professionals how to use Windows update.
What software are the sites holding the attack code hosted on?
And how did they get commandeered?
how did all those sites get the payload installer in the first place ...
Happily using Opera with java and flash turned OFF.
the phishers can phuck off
It never ceases to amaze me..
....just how badly the popular media report and mis-report on technology issues like this.
Why are media outlets so fecking clue-less when it comes to the net and computers in general?
With IE Being The Industry Standard Browser,Whats New
I don't touch IE since it went to 7..loved 6.
Now on Opera..Best and most secure out there in my opinion.
If a hacker can get past a normal linksys firewall, a sega dreamcast turned into a firewall, nod32 firewall and windows firewall then they are damn good!.
Good point. Story updated. Thanks for the suggestion.
Happily using Opera
Happily using Opera are you? Except for all those apps that use an embedded IE-based WebBrowser control, huh?
Anyway, tell me this, MS, why when I haven't used IE since my last reboot, do I have to restart my computer to install. None of it's libraries should be loaded. Message to Microsoft: Get your damn dirty browser out of the OS!
Just Googled it
and ardoshanghai.com/s.js appears on 279,000 sites!
This is why I use
Konqueror. That and IE don't run well on Linux. Hell, most malware doesn't even start under Wine.
"Happily using Opera are you? Except for all those apps that use an embedded IE-based WebBrowser control, huh?"
Interestingly it's possible to get rid of this -- wine actually handles several forms of embedding ie, embedding a firefox/mozilla rendering engine instead. It'd be nice to be able to take this and plug it into Windows somehow.
"Anyway, tell me this, MS, why when I haven't used IE since my last reboot, do I have to restart my computer to install. None of it's libraries should be loaded. Message to Microsoft: Get your damn dirty browser out of the OS!"
The short of it, because Microsoft does not have package management. This really causes a lot of problems for them IMHO.
..Is it me or are just about all the sites that quote that code in Korean?
As you know its gonna happen ...
... and the "don't use microsoft its crap" will start and everyone will happy proclaim that they use firefox i feel a link to another reg article is needed to stave off this onslaught
just to preempt them (btw yes it does allow code execution and this one with no input from the user as well!)
Time to ditch IE ....
Well, I would update IE but I really, really don't want to install WGA as well. Time to ditch IE completely methinks ....
Nasty little browser...
I'm glad I'm free of all of it with Linux. You have to hand it to M$ though for fixing it in such a timely manner.
I wonder how much influence the announcements over the last few days in the national news that users should change to a different browser had on Microsoft in rushing out the patch?
First golden rule of security Spencer, is not to disclose details of your security architecture.
Hackers will use any snippet of information they can to identify ways to attack your system.
I notice that you have all these firewalls, but you seemingly have them configured in the most basic of configurations, if a hacker can get through one firewall, he'll get through the second in your archicture, if he really thinks your system is worth hacking and might have something he wants.
I'd suggest you look at other firewall architectures, in particular using DMZs.
Hackers don't tend to care much about bravado.
IE was integrated deep into the OS so that it could not be removed, this made it less likely that another browser would be installed. So when IE updates it is really your OS getting updated.
Even on Linux it seems you need to reboot after every third update (give or take). I am a Linux newb and maybe it is possible to stop/start strategic services, but the only option given to me is "Reboot". It's not big deal though.
ps FireFox with the usual add-ons, just gone to 3.0.5.
Re: Web hosts?
"The *real* question is why the various self-appointed censors of the internet don't automatically blacklist a site that "requires IE" rather than using W3C standards."
On reflection, that's unfair on MS. In the spirit of fairness, I'd like to extend my suggestion to any site that uses the user-agent string for any purpose. Happily, this change also makes it easier to compile the blacklist.
Re: Web hosts?
"What software are the sites holding the attack code hosted on? And how did they get commandeered?"
They're probably sites that "are best viewed using Internet Explorer". Perhaps they even offer a link to the IE download page. Let's face it, such sites are managed by idiots, so it is hardly surprising that they've been hijacked by malware.
The *real* question is why the various self-appointed censors of the internet don't automatically blacklist a site that "requires IE" rather than using W3C standards. Surely there's a correlation. If I were farming out malware, I'd probably *deliberately* put in some code that requires IE, just to encourage folks to use the preferred vector ^H^H^H browser.
Yep, and pick 'pages from the UK' in google and you get.....
A link to this article. And that's it. I'm not saying we're immune (happily using Firefox w/NoScript add-on installed here) as this isn't the only filename, though.
I only use IE when I /absolutely/ have to. And I complain bitterly when companies force me to use IE. (Saying your company has standardized on Firefox (which mine has) and that you'll be on the lookout for another supplier which doesn't force you to use IE generally gets some attention)
Rather than it being down to IE being part of the OS, it's more likely to be WFP / dllcache at work here.
One or more of the DLLs being patched will be flagged as protected by WFP and the reboot's required to move in the new DLL version and refresh the copy in dllcache.
Swings and roundabouts. On one hand, it should be perfectly possible to build WFP or similar in such a way that dllcache sekkuritty* backup copies can be changed outside boot time. On the other this is MS, so if they provided such a mechanism it'd almost certainly be possible to exploit it remotely, blowing away the last figleaf from XP's insecure dangly bits. On the third hand (thanks Zaphod) the reboot requirements foisted on us by WFP are a disincentive to patch.......
*i.e. A bit like "security" but not close enough to the real thing to be useful.
HTML mail danger?
Jeremy: "Happily using Opera are you? Except for all those apps that use an embedded IE-based WebBrowser control, huh?"
Doesn't this mean a HTML-formatted spam can carry the infection if opened in Outlook? If so, I wonder why this form of attack has not been reported. Maybe there is something making it infeasible?
(It could hit even me. At work I'm forced to use Outlook 2002 (gack!), and althought the company has spam filters, some of it trickles through, and sometimes I open a spam message by mistake, typically because Outlook sometimes forgets that I don't want preview panes...).
@Moss Icely Spaceport
It's not just the net/computers... try space, nuclear energy, physics, astronomy, motorcycles, or just about anything technical. I've seen stuff mutated literally almost past recognition.
"Getting the story right" just isn't a concern for most news "journalists" so as a result I consider 99% of it to be purest bullshit. That's why I come to places like El Reg, who mostly get it right.
Firefox updated too!
That is all.
Or just stop using Internet Explorer entirely......
tried looking at Empire with Firefox
Used Firefox last night and tried looking at Empireonline.com and its been blocked by my phising filter, is this the same problem?
Re @Spencer Davies
Ive been running the same setup for just over 6 years now and had no particular threats..only threat i have is configuring my dreamcast to accept xbox live which is a pain.
My parents machine downstairs is probably the most likely to get hacked as he goes off a different broadband connection all together and he just uses a plain firewall (Windows to my dismay)
Anyway back to main subject.
I believe you cant stop using IE all together because if i remember correct, Its intergrated into the shell..Internet Explorer, Windows Explorer, etc.
Re: Web hosts?
A quick Googl$ for the ardoshanghai.com/s.js string appears to show the majority of sites hosting that particular form of the hostile code for this exploit serving .asp?*** or .aspx?*** urls. I'm guessing this indicates they are serving from IIS of some description, which would probably indicate compromise through unpatched holes there (or automated SQL injection, perhaps).
Could it be that Korean domains dominate because as I understand it the current trojan delivered through this hole is installing game password stealers, and those .kr peeps are probably the most lucrative market for 'hot' virtual property?
Flames because quite a lot of people are going to be burned by this one over the holiday season...
@Henry Wertz, packages
But Windows does have package management, check %WINDIR%\servicing\Packages
Details = good
Kudos to El Reg for giving particulars on the script name and sites hosting the script - many other IT 'news' sites fail to give us those basics. Any chance of getting at least a partial list of the other sites, or perhaps a link to where the info may be posted?
@Details = good
Thanks for the kind words. I've updated the article to include the following paragraph:
Attack strings in separate SQL injections include 17gamo.com/1.js. Researchers say the number of attack sites is too high to keep exhaustive lists, but Shadowserver is doing an admirable job here (http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210)
Someone else asked what platforms the hacked sites were running on. That information wasn't available, but in general SQL injections attack web applications that fail to sanitize user input rather than the underlying database. Many of the SQL injections in the past worked on a variety of database programs. (See http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/ and http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/)
You can set your watch to it
The minute a patch for Windows/IE comes out, there will be someone within 30 minutes trumpeting what OS/browser THEY prefer/are running.
"Wow - I'm so glad that person X on The Reg forums is using Opera! I should run Opera, too, because person X is just so in-the-know!"
Come on, guys/gals - the comments section would be a bit more relevant if the rest of us didn't have to wade through gratuitous postings about what makes you so technically beyond the ~90% of the rest of the web. We get it already.
The Really Scary Bit ......
.... is how if you're just running as a normal user, and not with admin rights you can get a keyboard scanner installed on what is effectively a browse-by download. I'm by no means an expert, nor for that matter a particularly good programmer, but the only way I can see to do this is to map onto the keyboard I/O memory address range, and then poll the memory space (so you don't register the interrupt) to read the scancodes. On a secure system the kernel should tightly control access to this area of memory to those with admin rights. Even if the program is downloaded, how is it allowed to run ?
Am I missing something, or does everyone use windows with admin rights ?
I'll get me coat cos it'll give my back some heat protection from the uber programmers glaring at me for my utter lack of knowledge.
@AC - Thursday 18th December 2008 07:15
I agree with you!
I've seen newspapers and TV get some of the most famous news images wrong on quite a few occasions.
- The classic image of Buzz Aldrin standing on the moon - said by some media outlets to be Neil Armstrong!
- The even more classic image of Tenzing Norgay Sherpa standing on Mt Everest's summit - said to be Sir Ed Hillary!
If you can't see their faces, even more reason to check your facts!
I also agree that the Reg is not included in the above criticism.
Re: Web hosts
If Korean hosts are being targetted it could be because 99.9% of Koreans use Internet Explorer and rely on ActiveX for secure transactions. That's a good market, plus they do like their virtual stuff. The government bought into a monopoly, didn't wait for SSL encryption, and are only just digging their way out, but none too quickly.
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Updated + vids WHOA: Get a load of Asteroid DX110 JUST MISSING planet EARTH
- 10 years of Facebook Inside Facebook's engineering labs: Hardware heaven, HP hell – PICTURES
- Very fabric of space-time RIPPED apart in latest Hubble pic
- Massive new AIRSHIP to enter commercial service at British dirigible base