# Attacks on IE Flaw Escalate



## Nick (Apr 23, 2002)

*"IE and me are through, that's it" *

Washington Post.com March 27, 2006

More than 200 Web sites -- many of them belonging to legitimate businesses -- have been hacked and seeded with code that tries to take advantage of a _unpatched_ security hole in Microsoft's Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.

I have to call Microsoft out on both counts, and I think some of what I've uncovered so far about these attacks should make it clear that the situation is serious and getting worse by the hour.

According to a list obtained by Security Fix, hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors). Among the victims are a regional business council in Connecticut, a couple of vacation resorts in Florida, a travel-reservation site, an online business consultancy, an insurance company, and a site featuring things to do at various cities across the country...

More @ *WashingtonPost.com* (registration may be required)

See related story *"Non-Microsoft Patches Issued for IE Flaw"* *HERE*


----------



## Nick (Apr 23, 2002)

Third-party fixes from Aliso Viejo, Calif.-based eEye Digital Security and Determina 
of Redwood City, Calif., came after Microsoft said it did not plan to issue its own
update until April 11, the next date in its regular monthly security-update cycle.

----------------

*From eEye Digital Security:*

Exploits Circulating for Internet Explorer Unpatched Vulnerability

Date: March 27, 2006

Severity: High

Systems Affected:
Windows NT 4.0
Windows 98 / ME
Windows 2000 SP4
Windows XP SP1 / SP2
Windows 2003

Internet Explorer 5.01 Service Pack 4
Internet Explorer 6
Internet Explorer 6 Service Pack 1
Internet Explorer SP2 (On Windows XP SP2)

Overview:
eEye Digital Security is advising customers to the existence of exploit code that targets a critical security vulnerability in Microsoft Internet Explorer. The exploit pertains to an unpatched vulnerability that has been released on various public mailing lists. Microsoft has released the following security alert on this issue:

http://www.microsoft.com/technet/security/advisory/917077.mspx


----------



## Richard King (Mar 25, 2002)

Well, this caused me to switch. I am now a Firefox browser, that is IF I can find a way to have my favorites along the left side of the screen as I had with IE. Any ideas on how to set that up? I haven't been able to find it, yet.


----------



## Nick (Apr 23, 2002)

In Firefox, go to <view>,<sidebar> then check "bookmarks".


----------



## Richard King (Mar 25, 2002)

Wow!!! Look at that. I knew the answer was here somewhere. Thanks, Nick.


----------



## Nick (Apr 23, 2002)

> *On March 31st alone, phishers gleaned personal and financial information on 13,677 accounts, including 3,536 credit card account numbers, 255 Paypal accounts, 1,038 eBay accounts; 93 user names and passwords for Bank of America online accounts; and login credentials for some 2,609 Hotmail e-mail accounts.*


It is easy to write about the latest security flaw in Microsoft's Windows operating system as if it were some abstract threat that hackers may or may not get around to exploiting at some point. But when you have evidence that a single phishing group is using the vulnerability to steal online banking and e-commerce credentials from thousands of victims each day, the threat suddenly becomes a great deal more personal and real.

Take, for instance, the data being collected by San Diego-based Secure Science Corp., a company that offers stolen-data retrieval services for financial institutions. Most of the criminal groups the company monitors filch data by spamming out e-mails with links to Web sites that use a variety of known Internet Explorer and Windows weaknesses to install malicious code.

Once installed, that malware steals stored user names and passwords and records what the victim types when he or she visits targeted financial sites. Secure Science can intercept that data by finding the location of "dead drops" -- e-mail inboxes or Web site databases set up by the attackers to receive information stolen from infected machines...

More @ *WashingtonPost.com*


----------



## ntexasdude (Jan 23, 2005)

Gawd, my head is spinning. I pay bills and do online banking all the time. To think I could get scammed by no certain stupidity or error on my part is frightening.


----------



## Bogy (Mar 23, 2002)

On a probably unrelated note, I have forwarded my third phishing email to ebay in about three days. I had two in one day. I had not bought anything for a while, lately I bought a couple of things, and all of a sudden I'm getting these again.


----------



## CoriBright (May 30, 2002)

I get EBay and PayPal phishing emails all the time... but never on the account that I use for either of them! Actually it's been a quiet week as far as they've been concerned... now I might get worried!


----------



## HIPAR (May 15, 2005)

There are a few simple things you can do to protect yourself:

1. If you are on a cable or DSL modem 'hide' behind a router. 

2. Dump IE and use FireFox. Set it to clear cookies when you exit. I very rarely find a site that doesn't work with FireFox and also find FireFox to be a much nicer to operate.

3. Never never respond to those 'Click Here' lines on unsolicited EMails. Push the Delete key instead. Call your bank if you get an Email 'from them' implying your account is in trouble.

4. Install those free Tool Bars, 'Cool Bars' and other like nonsense with great trepidation.

Conventional wisdom says 'Install a firewall and to subscribe to an antivirus service'. I use the Windows firewall only when I'm on a dialup connection. Otherwise, I don't have any of these running here and haven't had any major problems for about two years now. The call is yours.

I have all autoupdates turned off. I am very selective about Mircrosoft Windows patches. Again, you make the call.

I occasionly do an on demand scan with the free Ad-Aware program and have only found one very minor problem a few months ago.

That's my analysis.

--- CHAS


----------



## Nick (Apr 23, 2002)

Microsoft today said it plans to issue at least five free software updates next week to fix security flaws in its Windows operating system and other software products.

At least one of the updates will carry a "critical" rating, which Microsoft assigns to flaws that could be used by attackers or automated computer worms to take over vulnerable computers without any action on the part of the user.

Microsoft is expected to issue several updates for its Internet Explorer Web browser, including one to fix a flaw that criminals have been using to plant spyware on computers when users merely visit one of hundreds of malicious Web sites.

WashingtonPost.com


----------



## djlong (Jul 8, 2002)

The number one way to avoid phinshing scams is to look at those notes in your email.

If they say "Dear User" instead of using YOUR FULL NAME, it's a scam.

That right there will eliminate almost all email-based phishing scams. I find it interesting to hover over the links they provide which will have a tooltip-style pop-up show you the REAL address in clients like Outlook and some Bank of America site will REALLY translate to something like "foo.mumble638.ru/scam/bankofamerica". I mean, for geeks like me, it's BLINDINGLY obvious that these are false but for the majority out there who AREN'T living and breathing silicon it's a simple way to help them ID the phonies.


----------



## Steve Mehs (Mar 21, 2002)

The issue isn’t with Microsoft, it’s with stupid users. Microsoft is the biggest therefore the most targeted. Being semi educated at how to act safely on the net isn’t really that hard. I haven’t received a single spam email to my main accounts in about 3 years now. I have use my main Yahoo account for a lot of stuff, my secondary Yahoo account for junk that I hardly ever logon to, and my main email address from Road Runner I keep for personal email and REPUTABLE stuff like VISA and AMEX statements, online account management TIME WARNER and NEXTEL. This is also the email address I use for AMAZON and that I used for NETFLIX. I have had this email address for nearly 2 years now and have yet to receive and junk email. Don’t enter your email address in every online form, don’t sign up for free porn to your inbox and most importantly, don’t post your email in a public forum. If you want to give some one here your email address use the email feature here or PM it to the person. 

Don’t punch the monkey for a free PSP, don’t guess which celebrities ass that is for a free RAZR.

This stuff is more about common sense then being a computer geek.

Proud IE user for 8+ Years!


----------



## Nick (Apr 23, 2002)

Microsoft on Tuesday released five updates to remedy security flaws in its software products, including a huge -- and potentially disruptive -- patch bundle that fixes eight "critical" flaws in Microsoft's Internet Explorer Web browser.

The IE patch corrects a flaw that was publicly disclosed three weeks ago and has been used by attackers to install invasive software on machines of tens of thousands of IE users when they merely visited one of hundreds of Web sites that had been seeded with code to exploit the flaw.

More @ *WashingtonPost*.com

http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx


----------



## Nick (Apr 23, 2002)

*"...PatchLink made aware of compatibility issues by its customer base."*

An Internet Explorer update released earlier this week can interfere with some applications, including Google's Toolbar, according to PatchLink, a maker of patch management software.

Other applications affected by the Web browser patch include business software from Oracle's Siebel customer relationship management unit and certain Web applications that use specific versions of Java, PatchLink said Friday.

The problems arise because of changes Microsoft made to how the Web browser handles Web programs called ActiveX controls. The modifications are designed to shield Microsoft from liability in a high-profile patent dispute with Eolas Technologies and the University of California. ...

More @ *CNet*.com


----------



## Richard King (Mar 25, 2002)

> including Google's Toolbar


Google's Toolbar doesn't work under IE in Windows XP64 at all. It works fine under Firefox, my current default browser (Thanks Nick).


----------



## Laverne (Feb 17, 2005)

It might be helpful to everyone reading this thread (including me!!) if someone could please explain how this would affect Average Jo(sephine) IE6 User, who doesn't use the Google toolbar and doesn't use any kind of Oracle business software.  Any potential problems with the update other than those two items?


----------

