Internet Explorer Exploits

Defects in the Windows Internet Explorer browser, some for which patches have not been available, have been used to install Adware, Spyware, and other malicious programs on computers visiting malicious or compromised web sites (or clicking links in e-mail messages that lead to malicious or compromised web sites). This installation may occur without operator intervention or notification once the web site is visited. Email messages containing links to malicious web sites have been generated by SPAM and worms.

Our security devices pick up dozens and sometimes hundreds of attempts daily to exploit Internet Explorer on computers connected to the JMU network. The security devices stop some of these attacks but not all of them. Home computers have no such protection leaving their security entirely up to the operators.

Number of exploit packets. Number of involved systems is significantly less.

Risk Reduction Measures

It goes without saying that keeping a Windows computer up to date with patches, enabling the Windows XP firewall, and using anti-virus software is mandatory in these days of constant worms and exploits. However, even with these precautions, there is risk. Security related defects have been discovered in Internet Explorer features almost every other month for the past three years ^{Note 1}. Sometimes, these defects are exploited by people before patches are available from Microsoft to fix them. Updates, firewalls, and anti-virus software are generally powerless to prevent a compromise via a new exploit in such cases. Malicious web sites, compromised web sites, and links to such sites in e-mail and instant messages can result in instant compromises of visiting computers to install spyware or worse with no action on the part of the visitor.

The following steps are offered as options to further reduce risk. People operating computers accessing sensitive data, elevated privilege accounts, or applications attractive to the criminal element, such as electronic banking, may want to pay particular attention.

1. Avoid clicking links in SPAM and other untrusted, unexpected, or unusual e-mail messages. Unfortunately, its easy to make a mistake, hard to determine trustworthiness of a message, and sometimes even trusted web sites get compromised.
2. Avoid untrustworthy web sites. Pornography sites in particular seem to be using exploits to obtain information about visitors (email addresses seem popular) and/or install malicious software on visiting computers. Unfortunately, its easy to make a mistake, hard to determine trustworthiness, and sometimes even trusted web sites get compromised.
   
3. Perform day to day operations, particularly web browsing and email reading, using an unprivileged account which will restrict the ability of malicious web sites to take over your computer. Do not use the Windows 'Administrator' or 'power user' account or a Windows account that is a member of the administrator or power users groups for day to day use. This decreases the functionality available to malicious programs or exploits you may encounter and the repercussions of accidents. This is particularly recommended for shared or unattended computers or those used by children. Instructions for Windows XP. Instructions for other Windows operating systems on University of Texas web site. More detailed information:
   • Microsoft moderated web community (WIKI) on using non-administrator accounts
   • Microsoft knowledgebase article listing applications requiring special handling
4. Disable scripting and other browser functionality that increases risk. If using Internet Explorer, you can do this selectively allowing trusted sites to have more functionality and control over your browser than untrusted or unknown ones.  This will prevent exploitation of most defects, patched or unpatched. It may also, however, reduce convenience or functionality.
   1. Microsoft Safer Browsing Instructions
   2. JMU Instructions with more details and screen shots
    
5. Configure your email client to display email in plain text. This reduces functionality available to malicious messages.
   • Outlook Express 6
   • Outlook 2002
   • Outlook 2003

 
• Use the Windows XP Software Restriction Policies to restrict the computer to running only approved programs. This is particularly recommended for shared or unattended computers or those used by children.

   

• Use another browser when visiting web sites where Internet Explorer functionality is not needed. For example, the Firefox or the Mozilla application suite.
• Many web sites have been designed and tested only for Internet Explorer. This may make it necessary to use two browsers if you need to access such sites.
• Mozilla products and other browsers also have security defects reported but at the present time, not as frequently, nor as often exploited. Because other browsers also have problems, minimizing functionality, such as scripting, is an effective risk reduction technique for those products too. Unlike Internet Explorer, however, this is an all or nothing decision. There is no way to have different settings for different sites.
• If you choose to switch from Internet Explorer to another browser, it is still recommended that you set Internet Explorer's Internet zone to High security. This is because Internet Explorer can sometimes be used by other programs.

 

 

United States Computer Emergency Readiness Team Alerts

• http://www.us-cert.gov/cas/techalerts/TA04-163A.html
• http://www.kb.cert.org/vuls/id/526089
• http://www.kb.cert.org/vuls/id/842160

 

Incidents of compromised web sites compromising visitors' computers through Internet Explorer defects:

• 2006
  • http://blog.washingtonpost.com/securityfix/2006/06/circuit_city_support_site_serv.html
• 2004
  • http://www.cnn.com/2004/TECH/internet/06/25/internet.attack/index.html
  • http://msnbc.msn.com/id/5290386/
  • http://zdnet.com.com/2100-1105_2-5247187.html?tag=zdfd.newsfeed
  • http://www.lurhq.com/berbew.html
  • http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.html
  • http://www.microsoft.com/security/incident/download_ject.mspx
  • http://www.incidents.org/diary.php?date=2004-06-25&isc=39327808b2778b1720cc80bf2a70a286
• 2003
  • http://www.computerworld.com/securitytopics/security/story/0,10801,84675,00.html?SKC=home84675

 

Worms Exploit Internet Explorer Defect

• http://money.cnn.com/2004/11/09/technology/mydoom/index.htm?cnn=yes
• http://news.zdnet.com/2100-1009_22-5445179.html
• http://www.eweek.com/article2/0,1759,1721828,00.asp

 

ComputerWorld: "Internet Explorer Carved Up by Zero-day Hole"

• 
  http://www.computerworld.com.au/index.php?id=117316298&eid=-255

 

The following link describes just one example of a known malicious program being installed by using an Internet Explorer defect. Reportedly, it is being installed using a defect for which a fix was made available at the Windows Update site in April. Without the update, visiting a web site exploiting this defect will automatically install the program on your computer. From that point, the program will watch your browsing habits, wait until you visit an electronic banking site, collect your passwords, and send them off to the people performing this crime. While up to date anti-virus software will detect this particular program, it won't detect all the programs that are being installed by this type of activity. Similarly, while being up to date with patches from the Windows Update site will stop older exploits, newer ones can only be stopped by using additional risk reduction techniques like those mentioned earlier.

• http://securityresponse.symantec.com/avcenter/venc/data/trojan.gletta.a.html

 

Note 1: Determined by counting patches for Internet Explorer as described on Microsoft's Security Bulletin web page.