IE7 Hacked – Internet Browser Open to Identity Theives
Those savvy in the internet world were stunned late last week when Microsoft broke their rule of releasing patches to their software on the second Tuesday of the month. The reason? Their latest version of Internet Explorer had been breached by hackers.
Microsoft’s IE7 Breached
Malicious software aimed at a weak spot in IE7 hit several legitimate websites the first week of December, including a major internet portal in Taiwan. Trend Micro identified at least 10,000 websites infected with the software, which was slipped onto unprotected browsers and can be used by hackers to take control of infected computers, steal data, redirect browsers to dubious websites, and use machines for devious activities such as attacks on other networks.
Microsoft stated that in response to identification of the threat, they had instantly mobilized security engineering teams worldwide to deliver a software cure “in the unprecedented time of eight days.” The emergency patch was rushed out to users as quickly as possible.
Patch Needs to be Applied Immediately
“When the patch is released people should run, not walk, to get it installed,” said Trend Micro advanced threat researcher Paul Ferguson. “What makes this so insidious is it takes advantage of a big gaping hole of IE, which has the largest install base of any browser on the market. This vulnerability is being actively exploited by cyber-criminals and getting worse every day.”
Microsoft security response communications head Christopher Budd claims the problem is not as dire as Trend Micro makes out. “At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7,” Budd said . “Microsoft encourages customers to test and deploy this update as soon as possible. Microsoft’s teams worked around the clock.”
Problem More Widespread than Originally Thought
Ferguson disagrees that the problem is isolated, citing the opinion of Trend Micro researchers that the flaw is being taken advantage of in “multiple versions” of IE not just the most current. He also pointed out that there had been reports from China of attacks taking advantage of the IE weakness to steal user names, passwords and other information from people playing online games in China, which had gone on after a routine patch had been thought to fix the problem.
“It spread like wildfire from there,” Ferguson said. “I guess they were trying to be responsible and share what they knew about what was going on, but they were mistaken about it being patched. There is a working flaw circulating in the criminal underground,” Ferguson concluded. “It opens the window of opportunity that much wider to take advantage and there has not been real protection against it.”
All internet users should protect their computer with one or more spyware, virus protector or firewall measures, and should change passwords frequently. Private identifying information should be guarded, and frequent checks made of all accounts and credit reports for suspicious activity.
February 10th, 2009 at 6:20 pm
[...] Data breaches can be any size, but thieves often go for mass theft of files as was witnessed in the breaking into of a potential 100 million customer cards of Heartland Payment Systems in January and the hacking of Microsoft’s Internet Explorer last December. [...]