Contact Us
Internet Explorer Vulnerability - Exploit Code in the Wild
- URL: http://www.secureworks.com/research/threats/iexplorer
- Date: September 5, 2003
- Author: Joe Stewart
***Critical Threat***
SecureWorks' research team has received reports of exploits in the wild for the recent Internet Explorer vulnerability described in Microsoft Security Bulletin MS03-032. Apparently there are groups that are hacking third-party websites and appending the exploit code to existing pages. Upon loading the page in an unpatched Internet Explorer, the user will immediately have malicious code installed on their computer. This could be any worm, trojan or backdoor of the attacker's choosing.
Microsoft released the information and patch for this vulnerability on August 20, 2003. If you are running IE 5.01, 5.5 or 6.0 and have not patched Internet Explorer since that time, you are vulnerable. You could be exploited as soon as one of your users visits the wrong website. This could be almost any website, even ones they visit regularly. We have already seen evidence that a large web hosting company was exploited to have the malicious code inserted into every customer's pages.
Threat:
Critical
Because sample exploit code has been posted to several hacker websites, it is the opinion of the SecureWorks' research team that this method of exploitation will be increasingly popular among hackers in the coming months. SecureWorks has created and implemented signatures to detect and prevent this threat.
Remediation:
The patch you need to install on Windows systems to protect your users from this exploit is known as the "Cumulative Patch for Internet Explorer (822925)"
Update:
It has been reported that the official Microsoft patch for this vulnerability is not 100% effective in blocking exploitation. At this time, there is no fully working solution except disabling ActiveX controls and also disabling Active Scripting in IE.
Some links that may be of use in determining your exposure to this vulnerability:
Technical Bulletin: http://www.microsoft.com/technet/security/bulletin/MS03-032.asp CERT Advisory: http://www.cert.org/advisories/CA-2003-22.html End-User Bulletin: http://www.microsoft.com/security/security_bulletins/ms03-032.asp
