Porn sites exploit new IE flawBy Joris Evers, CNET News.com
Published on ZDNet News: September 19, 2006, 3:58 PM PT
Miscreants are using an unpatched security bug in Internet Explorer to install malicious software from rigged Web sites, experts warned Tuesday.
The vulnerability lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a Web site or an e-mail message, several security companies said.
"Fully patched Internet Explorer browsers are vulnerable," Ken Dunham, director of the rapid response team at VeriSign's iDefense, said in an e-mailed statement. "This new zero-day attack is trivial to reproduce and has great potential for widespread Web-based attacks in the near future."
Shady adult Web sites are among the first to exploit the IE vulnerability, Eric Sites, vice president of research and development at spyware specialist Sunbelt Software, wrote on a corporate blog. In one case, a malicious Web site used the exploit to install "epic loads of adware," according to Sunbelt.
Microsoft plans to fix the flaw as part of its monthly patching cycle on Oct. 10, the software giant said in a security advisory. The update might be released sooner, "depending on customer needs," Microsoft said. Typically, Microsoft only breaks its patch cycle when attacks are widespread.
The number of attacks may rise quickly, according to Web security company Websense. It appears that WebAttacker, a tool often used to create attack sites, has been fitted with the new exploit, Websense said in an e-mailed statement. "We have confirmed multiple, previously known, WebAttacker sites that are currently exploiting this vulnerability to install malicious software," Websense said. "We expect to see many of the several thousand WebAttacker sites begin to utilize the exploit, as they update to the latest release of the tool kit."
"Microsoft is aware that this vulnerability is being actively exploited," the company said in its advisory. While it works on an update, Microsoft recommends users keep their security software updated and take caution when browsing the Web. In its advisory, it also provides several workarounds to protect systems against the flaw.
The vulnerability lies in a Windows component called "vgx.dll." This component is meant to support Vector Markup Language documents in the operating system. VML is used for high-quality vector graphics on the Web.
This is the second known and unpatched flaw for IE to surface in as many weeks. Last week Microsoft confirmed a flaw in an ActiveX control related to multimedia. Attack code that exploits the flaw and could be used to hijack Windows PCs running IE 5 or IE 6 has been posted on the Net. Microsoft also has yet to provide a patch for a Word 2000 flaw being exploited in targeted cyberattacks.
- Not My Problem Hrothgar - PCLinuxOS -- 09/19/06
- It's no big deal for me. Grayson Peddie -- 09/19/06
- MS Patch Priorities mobrien_12 -- 09/19/06
- if it is in porn then is the christian science monitor next? jimmurray1946 -- 09/19/06
- Who is the publisher? rvolkman@... -- 09/19/06
- Porn sites exploit new IE flaw Loverock Davidson -- 09/19/06
- The Internet is for.... thookerov -- 09/19/06
- Use Firefox and Debian jbengeii@... -- 09/19/06
- This is a double whammy Dr_T -- 09/19/06
- Message has been deleted. itanalyst -- 09/19/06
- People are still using IE? drew30319 -- 09/19/06
- Why porn? And why IE? bblackmoor@... -- 09/19/06
- Again, anyone who still uses IE DESERVES what they get Gerald Quaglia -- 09/19/06
- So those who use Macs can surf porn sites safely? richardlaihk@... -- 09/20/06
- Ah, yes. The Drive By Install, STILL not fixed... BitTwiddler -- 09/20/06
- No problems hear tfahs_orcim -- 09/20/06
- When will ZD just come out and state the truth? Wm_Hayashi -- 09/20/06
- Who uses IE to surf for PORN voska -- 09/20/06
- There is a simple solution jolumoar -- 09/20/06
- Must use IE wagnert -- 09/20/06
- How about a billion? chuck.gosh@... -- 09/20/06
- What a laugh Shelendrea -- 09/20/06
- Let's not get too high and mighty the other way either timoute -- 09/20/06
- Virus Scanner BALTHOR -- 09/20/06
- Bad mouthing MS, firefox and opera next alansaul@... -- 09/20/06
- Add your opinion
- IBM CTO for Emerging Technologies talks about Ajax, Web 2.0 and trust Tom Foremski
- Microsoft: "Software piracy is not a victimless crime" Adrian Kingsley-Hughes
- Google releasing source code search engine tonight Garett Rogers
- Wal-Mart vs. MySpace: Mr. Sam too honest to be a social networking darling? Donna Bogatin
- Liveblogging AttentionTrust and GestureBank Announcements Denise Howell
- See all ZDNet Blogs
Latest Security Content
- Microsoft to lock pirates out of Vista PCs
- Security hole plugged in Skype for Mac
- Hacker backpedals on Firefox zero-day claim
- Spammers plead guilty after EarthLink probe
- McAfee to capture Citadel Security
- Subscribe to Feed
|CIO Vision Series|
|Watch and learn as ZDNet editor in chief Dan Farber interviews CIOs who get innovation and explain how they leverage it in their organizations.|
blogs from our sponsors
White papers & webcasts
- Dual-Core Processing Revs Up Toyota's Virtual Wind Tunnel Red Hat
- How the Oracle Enterprise Technology Center Scaled its Storage Infrastructure to Meet Customer Demand 3PAR
- SOA and Information Services IBM
- Building a Computer-literate Culture with the e-Sri Lanka PC Red Hat
- ESG Report: Why 3PAR is "The Giant Killer" Among Enterprise Storage Systems 3PAR
- Entry points into SOA: Taking a business-centered approach IBM
Receive instant emails when IT news happens