Microsoft is again being forced to respond to serious Internet Explorer security holes coupled with exploit code that could allow attackers to saddle Windows users with spyware, Trojans or other trouble, even if they have updated with Microsoft’s Service Pack 2 (SP2).
Security research firm Secunia reported and posted an example of the latest exploit, which continues a string of critical vulnerabilities in Explorer. Denmark-based Secunia said the security issue — a weakness in Explorer’s command execution — could permit arbitrary commands to install code on a computer from a malicious Web site without requiring any user interaction. The exploit involves an HTML Help problem that can be used with insufficient drag and drop validation to bypass SP2 security features and compromise user systems, Secunia said.
Security experts pointed to a series of critical Explorer holes and exploits over the last few months as a troubling indicator of the dangers of Web browsers, particularly Explorer. Some were also critical of Microsoft’s lack of effort in improving and bolstering Explorer, which is fast losing ground to other browsers, especially the Mozilla open-source community’s Firefox.
The series of recent, significant Explorer holes dates back to mid-October, when researchers first pointed out fresh security problems with the browser. It wasn’t until the end of November that security experts realized the seriousness of the issue, for which an exploit had emerged.
“That’s when it became clear the vulnerability went beyond the original [security findings and announcements],” said Ken Dunham, iDefense director of malicious code intelligence. He told TechNewsWorld that the issues for Explorer have been ongoing, with security advisories from the BugTraq mailing list, Secunia, CERT, anti-virus vendor Symantec and others.
“We have been seeing these types of activities heat up,” Dunham said of Explorer exploits. “This is definitely one to watch and one we should be concerned about,” he added in reference to the most recently reported exploit.
Microsoft reportedly will soon release a patch for the Explorer flaws, but Dunham warned that the attacks on Explorer — the most popular and dominant Web browser — are likely to continue.
“In terms of Web browsers, now we’re talking about media applications,” he said. “What an opportunity for hackers to install their Trojan of choice.”
Dunham added that while Microsoft is making an effort to make Explorer more secure, there is increased opportunity in targeting browsers. For attackers, there is money to be made.
Richard Stiennon, Webroot’s vice president of threat research, told TechNewsWorld he agreed with Secunia’s labeling the latest holes and exploit as extremely critical. Stiennon — who pointed out that this evidence of Explorer’s spyware susceptibility appears only days after Microsoft announced its own anti-spyware software last week — said Microsoft has failed to adequately address the issues in its browser.
Letting It Languish
“I’m still hearing that they’re letting it languish,” Stiennon said. “They have not devoted the resources and are waiting for Longhorn [the next major Windows update] for feature updates [in Explorer]. That’s a mistake. That’s a big mistake.”
The security analyst added that while newer browsers such as Firefox were built for blocking pop-ups and phishing attempts at ID and information theft, Explorer was not.
“All of these things take into account the harsher, more dangerous environment that we live in today,” Stiennon said of newer, alternative browsers, which still account for a very small share of the browser market.
Stiennon said the continuing string of vulnerabilities and then exploits against the browser were having a dangerous, cumulative effect.
“This will just breathe more life into the folks doing bulk phishing or basically any Web-based attacks,” Stiennon warned. “As they patch for [older issues], the spyware writers will switch to these other vulnerabilities.”