Hackers wield newest IE exploit in drive-by attacks

French and German governments are urging users to dump the IE browser until Microsoft produces a patch

Hackers are attacking users with an exploit of Internet Explorer (IE) that was allegedly used last month by the Chinese to break into Google's corporate network, a security company said Monday.

That news came on the heels of warnings by the information security agencies of the French and German governments, which recommended that IE users switch to an alternate browser, such as Firefox, Chrome, Safari, or Opera, until Microsoft fixes the flaw.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld | Grimes also explains how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]

In a Monday alert Websense said it identified "limited public use" of the unpatched IE vulnerability in drive-by attacks against users who strayed onto malicious Web sites. The site Websense cited in its warned has since been yanked from its hosting server.

According to Websense, the attack code it spotted is the same as the exploit that went public last week. That code was quickly turned into an exploit module for Metasploit, the open-source penetration testing framework, by HD Moore, the creator of Metasploit and chief security officer for security company Rapid7.

Websense also said its researchers were working with Microsoft's to identify sites serving up the exploit.

On Sunday, however, Microsoft continued to downplay the threat. In a post to the Microsoft Security Research Center (MSRC) blog, George Stathakopoulos, general manager of the Trustworthy Computing Security group, repeated earlier claims by the company that it had only seen a "very limited number of targeted attacks against a small subset of corporations."

Stathakopoulos stressed that the only attacks detected thus far have been against the eight-year-old IE6. That version of Microsoft's browser lacks security measures, including DEP (data execution prevention), that are available in IE7 and IE8. For that reason, Stathakopoulos urged users of IE6 or IE7 -- the latter is potentially vulnerable to attack when run on Windows XP -- to upgrade to IE8.

However, some security organizations don't believe that is enough, and have instead recommended that users switch to another browser until Microsoft issues a patch. Both the German and French government computer security agencies have urged IE users to run a different browser.

Last Friday, Germany's Federal Office for Information Security , known by its German initials of BSI, and France's CERTA each issued advisories about the IE vulnerability.

Both BIS and CERTA called for users to ditch IE. "Pending a patch from the publisher, CERT recommends using an alternative browser," a translation of the French advisory stated.

A spokesman for Opera Software claimed that the download rate in Germany for its browser doubled over the weekend, and attributed the jump to the BIS warning.

Although U.S. researchers did not go so far as to suggest abandoning IE, some said the risk to IE users was high. "Internet Explorer users currently face a real and present danger due to the public disclosure of the vulnerability and release of attack code, increasing the possibility of widespread attacks," said George Kurtz, chief technology officer of McAfee, in a blog update Sunday.

Others told everyone to take a breath and stay calm. "What we have today is a bug in all versions of Internet Explorer, but so far only weaponized for IE version 6 on Windows XP," said Andrew Storms, director of security operations at nCircle Network Security, in a blog post of his own Saturday. "As usual, DEP and ASLR [address space layout randomization] are providing significant mitigation with IE8, Vista and Windows 7. The net ... is that today's attacks are only successful on Windows XP with IE6."

For its part, Microsoft said it was hard at work on a fix, but did not commit to updating IE before Feb. 9, the next regularly-scheduled Patch Tuesday. "We have teams working around the clock worldwide to develop a security update," said Stathakopoulos, whose name on the MSRC blog entry is one sign Microsoft takes the vulnerability situation seriously: Stathakopoulos rarely posts on the MSRC blog.

The IE vulnerability has gained more attention than most browser zero-day bugs because it has been linked to the attacks that broke into some of the firms targeted in a widespread campaign that compromised Google's and Adobe's corporate networks. McAfee was the first to reveal that the attacks against Google had been conducted using exploits of the IE vulnerability.

Microsoft last week acknowledged that the flaw had been used to hack Google's network and others.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer , send e-mail to gkeizer@ix.netcom.com or subscribe to Gregg's RSS feed .

This story, "Hackers wield newest IE exploit in drive-by attacks" was originally published by Computerworld.

Copyright © 2010 IDG Communications, Inc.