Security vendors mixed on severity ratings of the most recent browser vulnerability
September 20, 2012 — Microsoft on Wednesday released a temporary fix for an Internet Explorer vulnerability affecting most versions of Windows, as security vendors debated the risk of infection by exploits found on the web.
Microsoft said the “one-click” fix would have to be installed manually, but would not require a system reboot or affect a person’s ability to brows the Web. On Sept. 21, Microsoft planned to push out a permanent patch to Windows users through the operating system’s automatic update feature.
The patch will fix the latest publicly disclosed vulnerability, as well as four other critical flaws, said Yunsun Wee, director of Microsoft’s Trustworthy Computing unit.
Security vendors disagree on the threat level of the known vulnerability discovered over the weekend. Sophos raised the level to “high,” one notch below “critical.” The flaw, in IE versions 6 through 9, enables a hacker to install software capable of commandeering a computer.
Sophos chose high for now, because an exploit for the vulnerability, known as CVE-2012-4969, had not been added to Blackhole and other popular underground tools used by hackers. “If the prevalence increases, we will likely move to critical,” said Chester Wisniewski, a senior security adviser for Sophos.
Rather than wait for more exploits of the flaw, Rapid7 and FireEye rated the vulnerability as critical and highly critical, respectively. The highest ratings were warranted because the number of exploits on the Web was growing and IE accounts for a third to more than half of the browser market. The share varies by tracking firm.
“There are many users at risk, so it’s definitely highly critical,” said Atif Mushtaq, a security researcher at FireEye.
AlienVault reported on Tuesday that it had found three booby-trapped websites capable of installing malware in visitors’ systems. The malware-carrying sites included nod32XX.com, led-professional-symposium.org, a fake domain of a professional site aimed at manufacturers of LED (light-emitting diode) lighting, and defensenews.in, the main defense news portal in India. Malware being used included the PlugX remote access Trojan program.
“It seems the guys behind this zero-day [exploit] were targeting specific industries,” Jaime Blasco, an AlienVault researcher, said in a blog post. “We’ve seen that they compromised a news site related to the defense industry and they created a fake domain related to LED technologies that can be used to perform spear-phishing campaigns to those industries.”
The targeted nature of many of the attacks led to nCircle rating the vulnerability between medium and high. “We are not seeing full-on, drive-by attacks with this,” Storms said. “What we’re still seeing is more targeted, very specific attacks.” A drive-by attack is when simply going to a site can infect a computer.
Nevertheless, the vulnerability was serious enough for Germany’s Federal Office for Information Security to issue an alert Monday, warning people against using IE until Microsoft releases a fix. Sophos was also recommending that people use another browser.
Microsoft was given high marks for the speed of its response to the vulnerability. “Generally, they are moving really quick, and they are communicating with the public,” Storms said.
Because consumers are usually slow to install manual fixes, a much larger number of Windows users will be protected once the automatic update is released. “They need to prioritize an official patch that is deployed using Windows Update to truly provide protection to most IE users,” Wisniewski said.