Archived Blog

Update on the Microsoft Internet Explorer 0-day

01.19.2010 - 4:43 PM

We are monitoring the situation on the new Internet Explorer 0-day vulnerability that we blogged about yesterday. Our ThreatSeeker(TM) network has identified two more malicious URLs that are used in live attacks, this time hxxp://201002.[REMOVED]:2988/log/ie.html and hxxp://m.[REMOVED].net:81/m/index.html. According to reports from our friends at Ahnlab, the second URL was spread through the Instant Messenger network Misslee Messenger, a popular IM client in South Korea.

We have created a timeline of the events surrounding the attacks Google, Adobe etc and the vulnerability (click for a bigger version):

aurora_timeline

Out-of-band patch coming from Microsoft
Due to the attention the new vulnerability has received, Microsoft has announced that they will release an out-of-band patch for Internet Explorer. While a date has not been announced, this means that users will not have to wait until February 9, the next patch Tuesday, to download the fix.

Update: Mirosoft released the patch on January 21 as MS10-002.

Is IE 6.0 really used?
Ever since we heard the reports that it was an Internet Explorer 6.0 0-day vulnerability that was used in the attacks we wondered if there were details about the attacks that weren't being made public. Not only is Internet Explorer 6.0 a very old browser, you'd think that most companies would have updated to a newer version by now; most targeted attacks involve an attachment in a popular file format such as PDF, DOC and XLS. So we took a look at our own website visitor statistics for websense.com and were quite surprised by the results. Turns out that Internet Explorer 6.0 is the second most popular browser reprenting 19.6% of all visits!



In addition, Brian Krebs made an interesting discovery about browsers the other day when he visited his local bank to setup a bank account.

Bookmark This Post: