The security community is already seeing examples of drive-by downloads taking advantage of a newly-announced vulnerability in Internet Explorer. The vulnerability is explained here and the exploit is described (in Chinese) here.

A blog post at PC World by Frank Ohlhorst implies that Microsoft’s forthcoming free anti-malware product, Morro, will proxy users’ Internet traffic:

Morro will work by routing all of a users Internet traffic to a Microsoft datacenter, where the Morro application will process the traffic and identify and block malware in real time, by examining all of the rerouted traffic.

This seems very unlikely. First, the technical challenge of handling, and analyzing in real time, the Internet traffic of hundreds of millions of Internet users would be outrageous. Second, this would have tremendous privacy implications, and Microsoft has recently been pretty good at staying out in front of such issues.

An intern here at the Berkman Center e-mailed the article’s author to question his characterization of Microsoft’s new service. Ohlhorst answered that the Windows-based client would route traffic to Microsoft’s servers for analysis and back to the client, similar to "how Panda’s hosted security works."

I suspect Ohlhorst is referring to Panda’s Cloud Antivirus. If so, the comparison is probably closer to the truth than his explanation of it. Panda’s service has a client that monitors the PC for new processes and, when one is found, sends a cryptographic hash of the executable up to "the cloud" to learn whether the process is malware. This is, at least in theory, more efficient and effective than each client downloading definitions each day. Several AV products from other vendors use some variation on this theme, sending hashes, URLs, or sometimes even entire suspicious executables to a central server for analysis and/or checking against an updated block list. My educated guess, from what I’ve heard about Morro and seen elsewhere, is that Morro will do something similar, but will not route all of a user’s Internet traffic to Microsoft.

Microsoft released their fairly comprehensive Security Intelligence Report today. Among the interesting badware-related findings:

• Rogue security products, such as XP Antivirus 2008 and its many similarly-named variants, have increased significantly in recent months
• Attackers are increasingly focusing on exploiting applications (e.g., MS Office, Adobe Reader, etc.) in addition to or instead of the OS and browser
• The types of badware targeted at particular populations vary significantly by country. For example, password stealers for game and other account information are much more prevalent in China and Brazil, while other types of Trojans are more prevalent in the U.S.
• Malware hosting is most concentrated in China, Russia, the Balkan nations, the U.S., and Spain. This is a bit different than our findings, which makes sense, as Microsoft is looking more at where the actual executables are hosted, while Google (which supplies us with data) looks at where the drive-by exploits are found.
• Microsoft detects one drive-by download in every 1,500 web pages indexed.

Far more information can be found in the report, which can be downloaded here.

The big news in the malware world this week was the spread of a new zero day exploit for Internet Explorer. Microsoft responded fairly quickly, releasing an emergency patch yesterday, but meanwhile, the bad guys were working quickly to hack websites so they could deliver password-stealing malware onto users’ vulnerable machines via drive-by download.

To me, this highlights a trend that the security community has been seeing more lately: very rapid distribution of exploits for applications that haven’t been patched or that have just recently been patched. This is all enabled through the ability of malicious actors to quickly deploy the exploit code through the use of botnets, spam, and vulnerable websites.

In turn, this trend points out the insufficiency of "being careful" as a defense against malware. Keeping your PC up to date and avoiding suspicious websites are important safety steps, but neither will protect a user from a legitimate website hosting a zero day drive-by exploit.

Security experts always talk about layers of security, and this is a great example of the importance of that. When you combine the defenses above with "just in time" warning messages about known badware websites, proactive AV scanning, and improved security architecture in the desktop OS and applications, a user has a reasonable chance of being protected from even new, fast-moving threats. Perhaps there’s still more that can be done. Public user warning systems, distributed intelligence gathering, and other new approaches to helping users avoid malware are on the horizon, and StopBadware looks forward to working with its partners and the rest of the community in our collective effort to fight back.

Microsoft Live Search recently joined Yahoo! and StopBadware partner Google in warning users about malware-infected websites in search results:

As Live Search crawls the web, we assess whether a page contains any malicious elements or exhibits any malicious behavior, and then flag questionable pages with a warning message.

Kudos to Microsoft for getting on board with what we believe has been an effective way of reducing ordinary PC users’ exposure to drive-by downloads and other web-based threats. We have not yet explored the new feature too extensively, so we don’t know yet how accurate their listings are or how they’re managing the process of reviewing websites that site owners believe are mislabeled or have been cleaned up. However, we are in touch with folks in Redmond, and we hope to learn more in the coming weeks.

StopBadware.org staff security researcher Oliver Day has a guest blog post at SecurityFocus that explores the relationship between Microsoft’s anti-piracy measures and the number of vulnerable Windows machines around the world. His conclusion:

The simple answer is that the current WGA policies from Microsoft significantly extend the lifetimes of vulnerabilities, sometimes indefinitely.

Follow the link above to read his full, thoughtful post.

Symantec describes a vulnerability in Internet Explorer that allows a website with malicious content to install a Microsoft-signed ActiveX control and then exploit a known vulnerability in that control:

Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim’s computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.

It does not appear that there is a known fix for this right now, so it’s just one more reason to keep your security software up to date if you’re using Internet Explorer.

A researcher from security firm Kaspersky reportedly claims that he told Microsoft of a vulnerability in Internet Explorer “a long time ago,” but Microsoft didn’t consider it a security issue. Now, he claims he has found an example of an exploit in the wild that takes advantage of the vulnerability.

The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

…

Fast forward to the latest site compromise — on a high traffic Web site — where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site. (The malicious site is currently offline but there’s evidence that it’s tied to ID-theft attacks)….

If the researcher’s findings are true (we haven’t confirmed them), then Microsoft should be embarrassed for missing an opportunity to protect its users and should immediately reconsider its position and treat this as the security issue that it is.

Ryan Naraine over at the Zero Day Blog reports that a new vulnerability has been found in Internet Explorer 6 running on Windows XP with service pack 2 or 3:

An unpatched cross-domain vulnerability in Microsoft’s flagship Internet Explorer browser could expose Windows users to cookie hijacks and credentials theft attacks, according to a warning from security researchers.

At the moment, there is no patch:

In the absence of a patch, IE users are strongly encouraged to upgrade to IE 7. Or, as always, consider using an alternative browser.

About a month ago, we questioned Apple for characterizing a Safari security vulnerability as a “feature” issue, not a security issue. This issue got further attention when Microsoft announced that the Safari vulnerability combined with a Windows vulnerability could lead to remote code execution.

I’m glad to report that Apple has patched the hole in the Windows version of Safari, though they continue to treat the unprompted downloading of files as a non-security issue, as indicated by this write-up from their advisory:

An issue exists in how the Windows desktop handles
executables. Saving an untrusted file to the Windows desktop may
trigger the issue, and lead to the execution of arbitrary code. Web
browsers are a means by which files may be saved to the desktop. To
help mitigate this issue, the Safari browser has been updated to
prompt the user prior to saving a download file. Also, the default
download location is changed to the user’s Downloads folder on
Windows Vista, and to the user’s Documents folder on Windows XP. This
issue does not exist on systems running Mac OS X.

In other words, Apple is saying that the only security issue is the Windows desktop vulnerability, so they’ve patched Safari to protect you from Microsoft’s flaws. While the patch is an essential download for users of Safari for Windows, it is disappointing that Apple continues to shift the blame and to indicate that the Mac version of Safari does not have a security issue.

I also hope that we will see a patch from Microsoft that addresses the Windows desktop vulnerability directly.

Hat tip to Ryan Naraine at the ZDNet Zero Day Blog for reporting on Apple’s update.