Microsoft fixes 8 IE holes, including one used in attacks

Microsoft on Thursday issued a cumulative critical patch for Internet Explorer that fixes eight vulnerabilities, including a hole targeted in the China-based attacks on Google and other U.S. companies.

The security update is rated critical for all supported releases of IE 5, 6, 7, and 8, according to the advisory. The more severe vulnerabilities could allow remote code execution if a user views a malicious Web page using IE, it said.

This IE security update was already planned for release on the next scheduled Patch Tuesday (February 9), Jerry Bryant, senior security program manager at Microsoft, said in a blog post.

Microsoft has known about the hole for at least four months, after it was privately disclosed it to the company, Bryant said.

"When the attack discussed in Security Advisory 979352 was first brought to our attention on January 11, we quickly released an advisory for customers two days later," he wrote. "As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September."

Installing the IE update addresses the vulnerability across all applications, even those using the same dynamic link library and which allow active scripting--which were discovered to be possible attack vectors, he said.

Microsoft also scheduled a Webcast to discuss the bulletin for 1 p.m. PST.

Microsoft acknowledged the hole a week ago, two days after Google disclosed the attacks launched against it and what is now believed to be more than 30 other companies. In the attacks, only IE 6 was targeted, Microsoft said.

Exploit code for the hole was published to the Internet the day after Microsoft went public with the IE warning.

"Microsoft continues to see limited and targeted attacks against Internet Explorer 6 only," Bryant said in a statement. "However, Microsoft recommends customers deploy the security update as soon as possible to protect themselves against the known attacks."

For an attack to be accomplished, an attacker would have to lure an IE user to a Web site hosting malware that was written to exploit the hole in the browser. This could be done by using social engineering and including a link to the malicious site in an e-mail that looks like it is coming from someone familiar or contains important information. Once a computer is infected, an attacker could take complete control of it.

Internet surfers should have already updated from IE 6, which is nearly 10 years old, said Oliver Lavery, manager of the vulnerability and exposure research team at nCircle.

"IE 6 is fundamentally much less secure than IE 8, regardless of patching. Yet IE 6 still had the largest market share of any version of IE as of December 2009--at 20.99 percent," he said. "This has created a situation of systemic vulnerability in many enterprises as the software many of their employees use every day is fundamentally not very secure."

Meanwhile, Trend Micro and Symantec said on Thursday that they had identified new malware samples that exploit the IE vulnerability used in the Google attacks. One new exploit that is being hosted on hundreds of Web sites is detected by Symantec as Trojan.Malscript, Symantec said in a statement. TrendLabs researchers said in a blog post that they discovered that the new scripts targeting the IE hole are versions of JS_DLoader.

Websense reported on its blog that targeted attacks like those that hit Google and using the IE hole appear to have started during the week of December 20 and are ongoing to government, defense, energy and sectors, and other organizations in the U.S. and the United Kingdom. Victims are receiving targeted e-mails with malware that appears to be a data-stealing Trojan, according to Websense.

Also on Thursday, Microsoft warned of a hole in the 32-bit versions of Windows and offered information on a workaround until a patch was released.

Updated 12:03 p.m. PST with Websense comment and 11:38 a.m. PST with comments from nCircle, Trend Micro, Symantec, and information on Microsoft security advisory about hole in Windows kernel.