IE Vulnerability Spreads To Email
Now you can be infected just previewing an email.
For now, Microsoft has published a Security Advisory, which provides steps customers can take to protect themselves.
A security update is now being finalized, but at this point, Microsoft plans to release it as part of its October security updates on October 10, three weeks away. A Microsoft spokesperson confirmed late Wednesday when asked by internetnews.com that the fix would come next month, not sooner.
Microsoft has dragged its feet on exploits before. When the WMF virus was found in late December, Microsoft was initially slow to release a fix but eventually did so ahead of schedule due to customer pressure.
Eric Sites, vice president of research & development at Sunbelt Software, which first found the virus, said Microsoft should not wait on a patch.
"I expect over the next week there will be an exponential growth in the number of Web sites using this to push malware (define) on people," he said. "It can be worse than the WMF virus because you couldn't exploit WMF through email. All it takes is a couple guys with spam and the bad guys have a very efficient delivery system with these bots."
Originally, the virus was found on porn Web sites, but the iDefense team at VeriSign has found code that can be executed within an email client; all you have to do is use the preview function in an email client, you don't even have to open the letter or click on a link, the most common means of infecting a computer.
According to Ken Dunham, director of the Rapid Response Team at iDefense, email is rendered in Outlook with Internet Explorer. That's how it handles scripts and embedded code, like HTML. When you preview it, the hostile code can execute and hit the VML problem.
And Dunham said this code is spreading among underground virus sites quickly. "The exploit code is out there for people to copy, paste and start using. It's trivial to leverage and reproduce. When it's popularized and easy to do, it's trouble," he said.
The VML exploit is a buffer overflow that allows for remote code execution, and in this case, it's being used to download multi-stage, multi-chain attacks using a program called WebAttacker toolkit.
Dunham said in one case, WebAttacker installed 73 files, including 15 executables, taking up 12 megabytes in size. It installed everything from proxies to dialers to keyloggers to spyware.
Sites also thinks this virus could be as nasty as WMF, if not worse. "Just looking at an email means you can be exploited. So things can escalate very quickly," he said.