December 10, 2008, 4:28 PM — Microsoft today said it's investigating reports of a new unpatched vulnerability in Internet Explorer (IE) that did not get patched in yesterday's massive update.
Other researchers, meanwhile, said that the timing of the attacks, which have already started, was not coincidental.
"The updates Microsoft released yesterday do not address this possible vulnerability," a Microsoft spokesman said today in an e-mail reply to questions, "but I can tell you that Microsoft is investigating these new public claims of a possible vulnerability in Internet Explorer."
Exploit code, which first surfaced in China, is actively seeking out victims, according to security researchers there and in the U.S. Those researchers have found attack code on multiple malicious domains and servers. Elsewhere today, an exploit was posted to the milw0rm.com site, a popular destination for public posting.
Symantec Corp. echoed Microsoft today, confirming that the flaw was not fixed by Tuesday's record-setting update, which included four patches, all judged "critical," for IE.
"The attack works successfully against a fully patched Windows XP SP3 with Internet Explorer 7, including all recent Microsoft Tuesday patches," said Symantec researcher Elia Florio in an entry to the company's vulnerability blog. "Also, Internet Explorer 6 could potentially be affected by the same problem and is therefore only temporarily immune to this initial exploit, which seems to target Internet Explorer 7 on Windows XP and 2003 systems."
There is some minor disagreement among researchers about the underlying bug. HD Moore, a noted vulnerability researcher and the labs director at BreakingPoint Systems, a Texas-based network test company, said his analysis points to a flaw in how IE handles the HTML "span" tag.
Others, however, said that the vulnerability is broader than that. "It's a problem in the .dll that handles the rendering of multiple types of HTML content in IE," said Ben Greenbaum, a senior manager in Symantec's security response group. "But the bug is triggered by the span tag, so it would be accurate to say it's a combination of both of those sources."
Greenbaum said Symantec has monitored attacks, but downplayed the threat for now. "Even in those regions [China and Asia], we're not seeing very high amounts of attacks," he said. "And in our own lab tests, the exploit is not successful against every machine. It's not all that reliable."
He guessed that the current attack code works, at best, a third of the time, but is most likely even less reliable than that. "Only a small portion of these attacks will be successful."
Symantec has not yet determined whether other versions of Microsoft's browser contain the same vulnerability; attack code in use now, however, works only against IE7.
Both Greenbaum and Moore agreed that what sets the bug apart is the timing.
"The most interesting thing is that it seems to have been first exploited on Patch Tuesday," Greenbaum said. "If that's the case, then it's a safe bet that they timed it so that at the least they'd have a month before a patch is released."
"There are usually a couple of these floating around," noted Moore in an e-mail today. "I think the media focus is related to the Microsoft Tuesday timing more than anything else." During his research, Moore uncovered two Chinese servers that were serving malicious code, and noted that the exploits had been last modified Sunday and yesterday.
Symantec recommended that users enable DEP (data execution prevention) in IE and disable JavaScript. The former can be done by calling up Internet Options from IE's Tools' menu, clicking the Advanced tab, then checking the box marked, "Enable memory protection to help mitigate online attacks."
Microsoft didn't promise a patch, but said it might produce one. "Once we're done investigating, we will take appropriate action to help protect customers," said the company's spokesman. "This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."
