Dec17
2:41 am (UTC-7)   |   by Jake Soriano (Technical Communications)

For the second month in a row, Microsoft is releasing another out-of-band patch to address the much-exploited zero-day vulnerability in Internet Explorer. The browser bug – a flaw in the data-binding function of IE – prominently featured in the following massive cybercriminal threats:

  • An online games information-stealing operation that seemed to be targeting Chinese users. Websites were rigged with a malicious JavaScript Trend Micro detects as JS_DLOAD.MD, triggering redirections to multiple URLs and leading users to the download of several TSPY_ONLINEG variants.
  • Mass SQL injections on some 6,000 websites, one of which is a sporting goods site with a traffic rank of about 7 million. Several exploits (HTML_IFRAME.ZM, JS_DLOADER.QGV, HTML_AGENT.CPZZ) led to the download of WORM_AUTORUN.BSE. The worm modifies files and downloads malicious files on an infected PC.

These attacks were discovered just days away from each other, highlighting the severity of the threat, and even prompting some security researchers to recommend not using IE until a patch for the bug is released.

Microsoft also released a bulletin outside its regular Patch Tuesday last month to address a Server Service vulnerability that was later exploited by cybercriminals to build a botnet. The IE patch is intended for release on the 17th.

As soon as the updates are available, users should patch their PCs immediately. Trend Micro meanwhile suggests the following workaround fixes:

  • Set Internet and Local intranet security zone settings to High to enable prompts before running ActiveX Controls and Active Scripting in these zones.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
  • Enable DEP for Internet Explorer 7.
  • Use ACL to disable OLEDB32.DLL.
  • Unregister OLEDB32.DLL.
  • Disable Data Binding support in Internet Explorer 8.

Trend Micro users are already protected from malware and dangerous sites by the Smart Protection Network. Non-Trend Micro users can download the Web Protection Add-On, which provides users proactive protection and alerts them when web threats or bot-related activities are detected in their systems.

Update as of 18 December 2008, 08:00 AM PST:

Microsoft has released the much-awaited bulletin addressing the zero-day bug. IE users should PATCH NOW.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Wednesday, December 17th, 2008 at 2:41 am and is filed under Security . You can leave a response, or trackback from your own site.



One Response to “Microsoft to Release Out-of-Band Patch for IE Bug”

Trackbacks

  1. innismir.net — What’s the opposite of FUD?

Leave a Reply


Scammers Evade Spam Filters by using Email ‘From’ Fields
With ‘Friends’ Like These…


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice