Security Bytes

Nov 8 2010   4:25PM GMT

TrendLabs researchers warn Microsoft workaround breaks Web pages


A temporary workaround to mitigate a zero-day vulnerability in Internet Explorer causes most Web pages to load improperly.

By Ron Condon, UK Bureau Chief

Researchers at Trend Micro Inc. are warning Internet Explorer users that a workaround, which can be deployed to block a new zero-day flaw in the browser, can break the functionality of most Web pages.

Microsoft warned last week that it is investigating a new vulnerability that affects all supported versions of Internet Explorer, and could lay it open to remote code execution. The company also said it is aware of targeted attacks that are already trying to exploit the vulnerability.

The IE flaw exists due to an invalid flag reference within Internet Explorer, which can be accessed after an object has been deleted under certain conditions. The company says that in a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Jonathan Leopando, a researcher with Trend Micro’s TrendLabs is warning that the temporary measures advocated by Microsoft to block the flaw will cause most Web pages to load improperly in IE.

“The mitigating steps force the use of a user-specified CSS style sheet (breaking site formatting) and disabling scripting (disabling many site features),” he wrote, adding that users should also check that Data Execution Prevention (DEP) is enabled, to reduce the potential effects of any exploits.

The best way to avoid the problem, he says, is to upgrade to the beta version of IE version 9, which is not affected.

In the TrendLabs blog, Leopando said Trend Micro researchers have acquired a sample of the exploit for the vulnerability and have analyzed the threat. The main page that delivers the exploit downloads a backdoor, which in turn downloads various encrypted files which, when decrypted, contain the commands that the backdoor will perform.

Leopando says we are likely to see further attacks exploiting the vulnerability. One reason is that a new hacking tool, called HKTL_ELECOM allows cybercriminals to generate pages that contain the JavaScript code which exploits this vulnerability.

“This makes exploiting the vulnerability easier, which means that attacks that target will probably become more commonplace,” he wrote.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: