A previously unknown Internet Explorer bug has been used in target attacked online, security researchers warned today.
An unidentified website has been breached by the unknown attackers, who injected code that can exploit a flaw in the Internet Explorer browser. The perpetrators sent e-mails to selected individuals who were part of targeted organizations, luring them to the hacked webpage.
If the user was running Internet Explorer 6, or Internet Explorer 7, they may have been infected with a backdoor trojan. No user intervention would have been required for the malware to be delivered if the flaw was exploted successfully. Internet Explorer 8 “might” be technically vulnerable to the flaw, but the browser’s built-in Data Execution Protection (DEP) would cause the webpage to crash instead.
“Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations,” Symantec reported. “The files on this server had been accessed by people in lots of organizations in multiple industries across the globe.”
The flaw lies in IE’s handing of Cascading Style Sheets. The browser under-allocates memory, allowing data to be overwritten in memory vtable pointers. This can allow an attacker to inject code and execute it.
Microsoft has not said when a patch will be made available for the flaw but it is not likely to be released out of cycle due to it being ineffective with Internet Explorer 8. For those running IE6 or IE7 who cannot update for any particular reason, there is always the Enhanced Mitigation Experience Toolkit (EMET) provided by Microsoft to help IT Professionals protect systems from common threats. EMET works by applying security mitigation technologies to arbitrary applications to block against exploitation through common attack vectors.
Result for: attackers
Oracle has issued Java and OpenOffice patches today, patching 29 vulnerabilities that would allow attackers to take control of exploited computers.
28 of the vulnerabilities “could be remotely exploitable without authentication (over a network without the need for a username and password),” says Oracle, via ZD.
The patches are available for users running Windows, Linux and Solaris. Mac users are also vulnerable, but security updates are not expected for another month.
Alarmingly, 15 of the vulnerabilities were given a 10.0 Common Vulnerability Scoring System (CVSS-SIG) severity rating. The scale goes from 1 to 10.
Given the severity, Oracle says you should update your system “as soon as possible.”
Check your system for updates here: http://java.com/en/download/installed.jsp
Result for: attackers
According to security company McAfee, actress Cameron Diaz is used most often as malware bait, with search strings using her name having a ten percent chance of coming up with an infected site.
Dave Marcus, McAfee’s director of security research and communication says searching for “Cameron Diaz and screensavers” increases that rate to 20 percent.
McAfee, as it has done since 2007, compiled the search phrases containing names of celebrities, athletes and politicians trying to calculate the percentage of sites that are tagged as dangerous.
Diaz surpassed Jessica Biel, last year’s “champion,” who fell to third place. Julia Roberts took second, while Gisele Buendchen and Brad Pitt rounding out the list.
“It’s a simple fact. The bad guys read the same news as the good guys,” said Marcus.
Marcus also explained why Diaz jumped so high, as the McAfee list was composed during the month where two of her films were in theaters, “Knight and Day” and “Shrek Forever After.”
Phishers and attackers use the names to trick unsuspecting users into visiting malicious sites, which then installs malware on their computers.
