back to article Windows users ambushed by attack on fresh IE flaw

Thousands of websites have been hit by fast-moving exploit code that installs a cocktail of nasty malware on visitors' computers by targeting a previously unknown vulnerability in some versions of Internet Explorer. The compromised websites link to a series of servers that exploit a zero-day vulnerability in an IE component that …

COMMENTS

This topic is closed for new posts.

Easy way to mitigate this one...

...as always.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user,"

So don't run with unnecessary rights, just like you wouldn't on any other OS.

0
0
Thumb Down

now they use cocktails!

There are so many vulnerabilities available to the hackers nowadays, I guess it's less work for them if they just combine them into a "cocktail" that sprays you with several at one time. And all through a JPG picture, lovely. My ruling on Windows as my main OS? http://www.theregister.co.uk/Design/graphics/icons/comment/thumb_down_32.png

0
0
Linux

Um ...

"What isn't in dispute is that IE 7 on Vista is not vulnerable"

I dispute your claim.

FTFA:

"However, on IE7 which is default on Windows Vista systems, risky ActiveX objects are blocked by default which may mitigate this 0-day attack."

So Vista with default settings _may_ mitigate this attack. And how many Vista users are in the habit of reducing its "security" for the sake of usability? Many, many users.

0
1
Paris Hilton

Journal speako

Yes they are "ambushed" - of course they are...

0
0
Bronze badge

Lucky me

I don't usually surf to the web sites of schools and community centers in China. Of course, that's no guarantee, since better targets may well be hit by the drive-by attack soon enough, but it's a good thing they're off to a slow start.

0
0
Go

It's actually pretty easy to 'patch' around this issue

Microsoft even produce a msi to do it for you so you don't need to self-edit the registry.

Not really sure why they don't advertise this ?

http://support.microsoft.com/kb/240797

0
0
Flame

Rhetorical Question at end

From the article :- "making changes to the Windows registry, a risky undertaking"

Don't MS provide a built in convenient gui tool to make this risk free (as windows zealots constantly remind us, using gui tools to do admin or any task eliminates making mistakes)

Isn't the registry just one big config file and editing the registry config file one of the main effective methods of low level windows administration?

Flaming Tux icon please.

0
0
Happy

Be smarter

Some advice to those still living in 2000:

1) Install Mozilla Firefox browser

2) Install AdBlock add-on to get rid of all pesky ads (blocks ad servers)

3) Install NoScript add-on to get rid of XSS and JS attacks (blocks JS except for whitelisted sites)

It's that simple to eliminate most ad, tracking and malware attempts.

Enjoy!

0
0

there's a "Fixit" solution available

In the KB article (linked from the advisory), there's a "Fixit" solution that does the work of the registry edit. It's an MSI executable that turns off the function in IE.

http://support.microsoft.com/kb/972890

0
0
Gates Horns

And yet to read this warning....

Wouldn't it be better if you lead by example and have a front page that will load if the user has blocked mobile code, adverts and cookies on their machine via their firewall?

As it stands to read your warning not to allow dangerous behaviour you have to allow dangerous behaviour. ?? :-/ ??

The inbuilt vulnerabilities of IE are only part of the problem. The other part being the websites that demand the dodgy functions be enabled to display correctly.

Let's have a code of best practice on the part of site designers to lead by example.

As it stands the concept of "YOU ARE IN DANGER OF BEING BUTTHURT - kindly lower your trousers and turn around so we can tell you about it" seems to be adding to the problem of these zero days to me.

I am aware of firefox - the same sadly cannot be said for my banks website. And yes this is another bone of contention. ;-P

Satanswombat

0
0
Pirate

And in other news...

So Microsoft have found another "flaw" in Windows that can only be avoided by ugrading to the latest version; there is, of course, a workround for older Windows versions but it won't stop the Criminals for long - the only sure way to beat the bad guys is to "up" grade to Vista.

And lookit, another helpful Registry "fix" that will turn off the unwanted behaviour without the User needing to do more than run yet another Microsoft Registry hac^H^H^H Installer/editor. But I can't help wondering what other little "unexpected" issues may be caused when this one's loaded...

0
0
Happy

Be even smarter

Some advice to those still living in 2000:

1) Switch to OS X

Enjoy!

0
0
Unhappy

@Zonky

"Not really sure why they don't advertise this ?"

Er, because they're trying to scare people into buying Vista/Windows 7, by any chance?

0
0
Anonymous Coward

re: Rhetorical Question at the end

"Isn't the registry just one big config file and editing the registry config file one of the main effective methods of low level windows administration?"

Isn't the registry just one big steaming pile of ineptitude and editing the registry config file one of the main effective methods of low level windows borking?

There, fixed that for ya :D

0
0
Bronze badge
Boffin

The registry

Is not one file.

0
0
Gates Horns

@And in other news... #

New thing better and has more features than old thing shocker!

I agree, how terrible of Microsoft to design and produce a new product that might have more features and a better design that the old one!

Would you expect a car manufacturer to retro-fit better locks to your car five years after you bought it because someone worked out how to pick the old ones?

0
0
Stop

Not a problem for my network.

ActiveX components are restricted to only trusted zones.

Ergo, unless I add the URL to my list of trusted sites in group policy, it doesn't run activeX..

I also have similar lists for flash, java, javascript. All other plugins are blocked from being run, and no user can download executables from outside our network.

It's so secure the last nasty our AV software picked up was the blaster worm which someone brought inside our firewall on an infected laptop.

Any sys admin worth his salt will have similar measures in place. It's so secure when set up in this fashion, it makes other uncontrollable browsers such as firefox look so insecure they may as well be a virus, hence they are banned.

0
0
Gold badge

The "FixIT" solution...

...surely ought to be on Windows Update.

We have a remote code execution exploit, apparently in general circulation, that can be blocked with an already-available MSI, and the blocked control isn't used by-design in the core OS so it would be relatively low impact. (In any case, the controls could easily be unblocked once fixed.)

What are they waiting for?

0
0
Coat

Well us some of us Europeans will be okay soon

Some of us Europeans will be okay soon as when Windows 7 ships we won't have IE. :-)

Mine's the one with the Ubuntu CD in the pocket.

0
0
Pint

Is this exploit..

,, The smitfraud old thing that hijacks your DNS address and then redirects you?

I've had a load of people reporting this in the last few days

DNS is changed to 85.255.112.136

Just wondering

Paul

0
0
WTF?

"Pea and ham? From a chicken? Now that's clever"

"The site includes a JPG file that exploits a variety of vulnerabilities, "including an unprecedented stack overflow in DirectShow MPEG2TuneRequest,"

So, this image file somehow creates a stack overflow in music related code?

0
0
Anonymous Coward

RE: The registry

Foo_bar_baz wrote: "Is not one file".

OK, so if the registry isn't one file, what are the names of the files that the registry comprises of?

I'm only asking because registry editors (regedit) show ALL registry entries in one go. Does Windows load it all into memory (and does it keep it there?)

0
0
Bronze badge

@ AC - Be Smarter

FFS do you not realise that the majority of internet users expect their computer to work like their TV or indeed washing machine? They press buttons, stuff happens. They don't want to be botherd with installing a new browser and plugins and then messing around whitelisting sites.

Unfortunately FF seems to be just as prone to vulberablities as IE, and relying on plugins to protect their reputation is hardly good practice.

0
0
Pint

re: Be even smarter

Id rather set myself on fire than use OSX thanks, not everyone wants style over substance

also this little munchkin of a virus does appear on vista, it also dies pretty quickly when you use the appropriate tools (http://www.malwarebytes.org)

0
0
Pint

@KarlTh

Not always so easy. Normally, most software behaves itself if installed with admin rights but run under normal user rights. Some software, however, refuses to play ball unless run with admin rights all the time.

One notable example is the Chinese instant messenger client QQ, which we have tried installing several times on a Chinese colleague's machine (she actually needs it for her work, as she communicates with Chinese contacts on QQ) - but the damn thing will not run unless she is given admin rights on the machine. We eventually gave up and told her to use Yahoo.

0
0
Alert

@AC

The registry is split into user files (1 per user = HKEY_LOCAL_USER/HKEY_USERS) and machine files (HKEY_LOCAL_MACHINE and HKEY_CURRENT_CONFIG etc).

And as for ActiveX objects being enabled by "many many users" then I'd suggest only crazy people would. IE lets you enable such things by zone, so many might enable them for Intranet sites or Trusted sites, but not for Internet. Anyone sufficiently savvy to get that far would SURELY know not to enable ActiveX objects for then Internet zone.

As for installing OSX, does Safari have NO vunlnerabilities?! Are you sure?

Interesting how people still manage to try to slag off Vista when it's the one NOT affected.

0
0

Some responses...

"FF seems to be just as prone to vulberablities [sic] as IE" - Er, no, actually it isn't. Step 1 (install Firefox) would improve users' security significantly; it's just that the other steps would harden the browser a little more. Remember, IE has a (limp) hardened mode as well.

"Would you expect a car manufacturer to retro-fit better locks to your car five years after you bought it because someone worked out how to pick the old ones?" - No, but if they sold me a car with a fault that left it with a serious security hole, I would hold them somewhat accountable for that and would appreciate a fix. Would you expect to be forced to buy a new car every couple of years because the manufacturer stopped supporting the old model as soon as there was a new one (even if that new one was expensive, unreliable and fugly), and refused to allow anyone else to maintain it?

"So don't run with unnecessary rights, just like you wouldn't on any other OS." - while this is true, it's worth bearing in mind that necessary rights for a local user are generally going to be enough to screw with all of their files. Advising people to use unprivileged accounts for normal users doesn't excuse producing pathologically insecure applications.

0
0
Thumb Down

another Re: Be smarter

Yeah NoScript is a great add-on, if you want to b0rk the web and spend the rest of your life white-listing stuff to fix it again.

It's like an over zealous firewall asking you to confirm or deny every little thing.

Lots of hassle, no real protection.

0
0

@AC 09:56

The files are:

%SystemRoot%\System32\Config\SAM

%SystemRoot%\System32\Config\SECURITY

%SystemRoot%\System32\Config\SOFTWARE

%SystemRoot%\System32\Config\SYSTEM

%SystemRoot%\System32\Config\.DEFAULT

And the users' personal settings are in ntuser.dat, which is part of the roaming profile.

On w2k there are .ALT versions of the registry files which store a duplicate, in case of corruption. In w2k3 and above the individual databases are transaction logged so can be rebuilt if a corruption is detected.

As far as I know the files are not operated from memory, but are locked for exclusive access for the whole time that the OS is up. I'm not 100% sure, but they are probably jet databases or some derivitive thereof.

0
0
Linux

RE: Anonymous Coward @ 7th July 2009 08:36 GMT

You said, "Would you expect a car manufacturer to retro-fit better locks to your car five years after you bought it because someone worked out how to pick the old ones?"

I say, "Would you not expect a car manufacturer to issue a recall if an old model was found to be inherently defective or would you be happy for them to tell you that you need to buy a new model?"

Actually I do kinda agree with what you're saying... there's no reason why MS shouldn't provide better products and charge for them accordingly - provided they also fix security issues with the older products and don't just use that as an excuse to force people to upgrade.

Contrary to the person you replied to, I think that MS will eventually provide a hotfix for this issue - their workaround is just a temporary fix until it's been tested. I don't think they would honestly expect to get away with leaving this unfixed on supported OSes such as XP.

I'm not sure, however, how long it will take them to do it. Whilst he was still at the helm, Gates seemed to have been pushing through changes to decrease the Vulnerability Window by making security fixes available sooner. But since he stepped down, there generally seems to be less priority placed on getting the hotfixes out quickly (with the exception of the 2 out-of-band patches released earlier this year).

Tux - because I wish I could download the source code and build my own car for free like I do with Linux.

0
0
Flame

Re: re: Be even smarter

"Id rather set myself on fire than use OSX thanks, not everyone wants style over substance"

...and in this instance I'd rather let you. Got the crumpets and muffins ready - over to you.

0
0
Boffin

RE: The registry

Someone else will probably beat me to it, but the files I know of that comprise the registry are:

%SYSTEMROOT%\System32\config\system, loaded into HKEY_CURRENT_CONFIG and HKEY_LOCAL_MACHINE\System

%SYSTEMROOT%\System32\config\security, loaded into HKEY_LOCAL_MACHINE\Security

%SYSTEMROOT%\System32\config\software, loaded into HKEY_LOCAL_MACHINE\Software

%USERPROFILE%\NTUSER.DAT - one per user, loaded into HKEY_CURRENT_USER and HKEY_USERS/<UserSID> when the user logs on

%USERPROFILE%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - one per user, loaded into HKEY_USERS/<UserSID_Classes> when the user logs on

There are also 3 "system users" that have hives that are always loaded:

LocalService, loaded into HKEY_USERS/S-1-5-19 and HKEY_USERS/S-1-5-19_Classes

NetworkService, loaded into HKEY_USERS/S-1-5-20 and HKEY_USERS/S-1-5-20_Classes

.DEFAULT, stored in %SYSTEMROOT%\System32\config\default and loaded into HKEY_USERS/.DEFAULT

FYI, HKEY_LOCAL_MACHINE\HARDWARE is a "volitile" key in that it is built by the kernel during startup, it isn't stored in a file.

This has been a public service announcement by your friendly neighborhood system deployment specialist. We return you now to your regularly scheduled flame war.

0
0
Boffin

RE: The registry

And of course I forgot %SYSTEMROOT%\system32\config\SAM, loaded into HKEY_LOCAL_MACHINE\SAM

0
0
Go

Group Policy Fix

I remember having to work hard the first time to set up a method of setting killbits with group policy. Then I found the following article:

http://msinfluentials.com/blogs/jesper/archive/2006/09/29/Set-KillBit-on-Arbitrary-ActiveX-Controls-with-Group-Policy.aspx

As soon as I had the CLASSID, it took 5 minutes to add it to group policy and protect 100+ computers.

I just hope this helps anyone else wondering how to deal with it!

0
0

Fix

Messing with the registry is really easy. if you want to delete this virus just delete the whole registry and restart, that'll work fine.

0
0
Pint

@ AC - 10:19 GMT

"Id rather set myself on fire than use OSX thanks, not everyone wants style over substance"

Yeah - i always love weenie roasts! I got my beer! Start-her up!

0
0
Terminator

*sigh*

This is *really* getting bothersome now.

Wish the d__n malware coders will be terminated.

The days when you didn't need a firewall or have to worry about wonky sites is long past now.

0
0

This post has been deleted by a moderator

Silver badge

But...

Firefox makes all websites look so damned ugly. Used it last week when at a different site. Awful experience. Popups every two seconds asking "Did you really want to..." and Gad! That spellchecker!

Week before that it was Mozilla, a browser so clever that when you set the first tab to magnify text by (say) 125%, every tab you open in that same browser window will need to be told to magnify 125% because, gosh, it's not like you might have poor eyesight or be working on a fsking Unix X window lashup with piss-poor resolution adjusting tools and might expect the bloody browser res to inherit, is it?

Stopped using Opera yonks ago due to the way it behaved when it found deprecated tags. Memo to Opera developers: When there are two distinct schools of thought on how to do stuff, it's worth thinking twice before becoming the one and only proponent of option "B".

Speaking as someone who does use IE, it would be nice if the baying hounds would take a leaf from my book and stop yowling for me to use whatever they think is the bees knees. I mean, it isn't that long ago we were witnessing the authors of the two Firefox plug-in's mentioned above slagging each other off in public and writing code at each other in secret. *There's* a technology I'd buy into in a heartbeat (if the alternative were a hot poker in the hurty bits). If you don't want I.E. users accessing your websites, just tell them so and eat the consequences.

I noticed a while back that a certain UK webstore was popping up a little political screed urging a non I.E. browser be installed before I had the privilege of viewing their wares. I did the obvious: bought from somewhere else and wrote to the webmaster saying what I'd done and why. The message is, curiously, not displayed any more upon loading their front page but the website still runs like a dog because of the heavy payload it attempts to force down the pipe in the quest for Teh Awsum. (Research suggsts the browsing experience is no better with the Golden Browsers either, for what it's worth).

Yes it's inconvenient that yet another hole has been found in some dimwit active X control. Yes, the problem targets Windows and IE, because those are the majority choice in the marketplace, for whatever reason. No doubt when Firefox has swept all other browsers before it into the mists of oblivion, people will start writing more attack code for it. I look forward to the day when the clear technical advantages and ease of use of the product, coupled with a virtually effortless installation and configuration that my 80 year old parents can manage, make this the browser of choice. Of course, by then everyone will be using Chrome.

I'd say nice things about OS X but, well, it's OS X.

0
0
Pint

Yet Again Someone Has Done Some Homework

And found an exploitable weakness. Today m$ IE (that I detest) but tomorrow something else. The malware writers are in it for the money, and should not be underestimated.

However, if they put their skills to improving things for mankind, I'm sure they could achieve an awesome amount. However climate prediction and script kiddies would be like monkeys and typewriters ..... But the really gifted guys ?

Crying shame really.

I need a pint, just like Inspector Morse ... nice bit of the country in summer BTW.

0
0
Flame

Use Windows...

And don't blame me if you hackers keep finding all those holes in your OS and browser.

0
0
This topic is closed for new posts.

Forums