Pop-up toolbar spreads via IE flaws

An adware purveyor has apparently used two previously unknown security flaws in Microsoft's Internet Explorer browser to install a toolbar on victims' computers that triggers pop-up ads, researchers said this week.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

One flaw lets an attacker run a program on a victim's machine, while the other enables malicious code to "cross zones," or run with privileges higher than normal. Together, the two issues allow for the creation of a Web site that, when visited by victims, can upload and install programs to the victim's computer, according to two analyses of the security holes.

The possibility that a group or company has apparently used the vulnerabilities as a way to sneak unwanted advertising software, or adware, onto a user's computer could be grounds for criminal charges, said Stephen Toulouse, security program manager for Microsoft.

"We consider that any use of an exploit to run a program is a criminal use," he said. "We are going to work aggressively with law enforcement to prosecute individuals or companies that do so."

Microsoft learned of the issue when a security researcher posted an analysis of the problem to the Full Disclosure security mailing list Monday. The software giant has already contacted the FBI and is in the "early stages" of building the case, Toulouse said. The company is considering creating a patch quickly and releasing it as soon as possible, rather than waiting for its usual monthly update.

The flaws are apparently being used to install the I-Lookup search bar, an adware toolbar that is added to IE's other toolbars. The adware changes the Internet Explorer home page, connects to one of six advertising sites and frequently displays pop-ups--mainly pornographic ads, according to an adware advisory on antivirus company Symantec's Web site.

On Tuesday, security information group Secunia released an advisory about the problem, rating the two flaws "extremely critical."

"Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0," the group wrote. "It has been reported that the preliminary SP2 (a major security update being developed by Microsoft) prevents exploitation by denying access."

The flaws could let any attacker with a Web site send an e-mail message or an instant message with a link that, when clicked on by an Internet Explorer user, would cause a program to run on that victim's computer.

The original analysis, written by a Netherland student researcher, Jelmer Kuperus, who found that the type of programming needed to take advantage of at least one of the flaws required sophisticated knowledge of the Windows operating system.

"While sophisticated, it's so easy to use, anyone with basic computer science can set up such a page, now that the code is out there in the open," Kuperus wrote in an e-mail interview with CNET News.com. "It's just a matter of changing two or three (Internet addresses) and uploading another" executable file.

Kuperus, who used an e-mail account based in the Netherlands, wrote in a Monday e-mail that he had been tipped off to the adware Trojan horse by an unnamed individual.

"Being rather skeptical, I carelessly clicked on the link only to witness how it automatically installed adware on my PC!" he wrote.

The Internet address from which the adware Trojan horse was downloaded resolves to I-Lookup.com, a search engine registered in Costa Rica that antivirus firms Symantec and PestPatrol have linked to aggressive advertising software. Two of the top three searches on the site relate to removing such programs, according to I-Lookup.com's own statistics.

A domain name search shows i-Lookup.com's parent company to be Aztec Marketing, but Pest Patrol links the site with iClicks Internet. E-mails sent to both companies for comment were not immediately answered.

Kuperus believes that i-Lookup.com's parent company may not be directly responsible for the adware-installing Trojan horse program, but that it could be rewarding the creator through an affiliate program.

"It does pass along a referrer code when downloading," he said. "Whomever created this probably is getting money for every install, so if the folks at (i-Lookup.com) would be willing, they would be able to track down the perpetrators."

Microsoft's Toulouse said Internet Explorer users could harden the software against such attacks by following instructions on the company's site. Other browsers available on Windows, such as Opera and Mozilla, do not contain the flaws.

[unknown unknown]

IE is only good for Windows Update

and that's all I use it for. Microsoft hasn't done any serious development for IE in years. They're just now adding popup blocking, after it's become a standard in third party browsers.

So true...

This is so true. Well... almost. I do have to use it once in a while when sites aren't completely validated and aren't compatible with Mozilla, but this is rare.

[neptolac]

There's only 2 things IE is good for...

1) Windows Update
2) Sites that require ActiveX (usually games-on-demand sites.)

I've disabled access to IE for anything web-related, and the only pages I go to with it are Windows Update and Comcast Games On Demand. If Mozilla Firefox could incorporate ActiveX, I'd mothball IE altogether. I'd love to be able to fully disable IE, but as long as there's enough M$ money to line the pockets of the politicos and pay off the USDoC and EU fines without so much as a wrinkle in Mr. Gate$' checkbook, then we're pretty much up the sewer without a gas mask.

That's just my 2 cents... which is approximately what's left out of my paycheck once I buy an overpriced MickeyShaft product.

[Christo]

I've permanently abandoned MS IE

I have permanently abandoned MS IE after trying for days to get rid of trojans caused by flaws in IE. New trojans keep making use of hitherto unknown new flaws in IE, and one has to continuously update IE to plug the holes. I am now on Opera and love it. It IE had been an automobile, it would have been withdrawn from the market due to factory design faults.

Thanks Microsoft ...too little,too late.

I got snagged with Clientman adware (bad stuff) and PWSteal.trojan from this hole and it takes ad-aware 6.181 (with the latest update, installed after installing the program)to get rid of ClientMan and the latest update from Norton Antivirus to get rid of the PWSteal.trojan. It was in the form of c\windows\system\MSNimk.gif. It had to be removed in SafeMode. Thanks Microsoft for all of your messing around on security work, you have turned me into a Netscape fan again... man that almost stuck in my throat, but what is a guy to do?

[Jonathan]

One Word: Firefox

As someone else stated IE is good for one thing: Windows Update. Other then that its an insecure POS. There are 4 things to do the really secure your Windows system. Beyond AV software, firewalls, something other then Lookout, using something other then Internet Exploder is a big one. IE is one big massive security hole.

Honestly at this point anyone that uses Imploder is an idiot.

[Michael00360]

Firefox

This would be a good time to switch to Firefox.

My Lord, what a mess

If you want to stop "adware" stop going to the sites that support it!!!!!!! And my Spybot program says that this is a site that uses both avenueA and double click, this is why these programs proliferate, big name sits say "you do what ever it takes, we got your back. YOU have to say NO MORE!!!!!!!

[Jesica Alba]

Spybot program

http://www.analogstereo.com/citroen_c8_owners_manual.htm

[copakeman]

Its a crime !

anytime my system software is changed without my my permission, a crime has been commited. if someone puts his hands in your pocket and takes your change, a crime has been committed. there isn't any difference between the two, but altering system code is much more serious. execute all worm, trojan, virus and malicious software writers and transporters. the problem occurances would decrease, reverse exponentially.
c

crimefighter

you can kill cancer cells with radiation, but the cancer will reimerge.

execute all criminals and all crime would decrease, but new crimals will reimerge.

but criminals are not the root of the problem, nor are the creators of malicious code.

your first questions is to ask why they wrote the code in the first place and take action to address that issue.

Responsibility

There will be bumps in the road. If there's a design flaw in your car and many fatalities arise due to this flaw, the auto maker is held accountable.

As an applications developer, if the system is compromised due to a flaw in my design, I am held accountable and take responsibility for the flaw.

As a designer of some of the most widely used applciations in the world, the company that developed them should be held accountable, in addition to the perpetrator, for neglegance in the design of their application and take responsibility for their mistakes.

Fixing an issue that can arise in real damages only after the fact is not enough.

[azwatsonw]

I was hit yesterday

This 'toolbar' was installed on my PC June 10. Zone Alarm warned of 'someone' wanting access which I denied. The toolbar was still installed in IE. After a period of searching, I discovered the Uninstall. The site asked 'why I wanted to uninstall their 'bovine waste'. I let them know in no uncertain words what I thought of their 'virus'. They asked what they could do to improve; I responded with 'Go out of business'.

[Jesica Alba]

This 'toolbar' was installed on my PC

http://www.analogstereo.com/alfa_romeo_147_owners_manual.htm

[jadester]

IE is POS period

I only use IE for Windows update and that is it. I currently use another browser that is much smarter and safer than IE. IE should be outlawed and Microsoft should be held accoutable for ALL OF THIER POS PROGRAMME FLAWS IN ALL OF THEIR PRODUCTS. Why do they continually get away with the crime of flawed software? Once a virus exploits a flaw in any MS OS, it takes this company a LONG TIME to even admit that there is a flaw, then it takes even LONGER to patch it. If I had my way, MS and Billy Bob would be out of business with so many LAWSUITS

[gelsey]

Is MS the only one to blame?

I started my personal battle with i-lookup back in Jan. 04. Not to mention Zedo.com, insightexpress.com and sirdearch.com among others.
I do belive that MS should be more resposible in how they ship their products, but it has been six months now; What about the firewall vendors and virus detection companies? Isn't that what we pay them for.
How about this article? Should it take six month's to report these, need-to-know issues?

One more thought - Why would and advertising agency or virus developer be interested in going after browsers only a small fraction of the users install.

everyone should

Complete agreement: No one would target something that isn't as popular as IE.

Complete agreemnt: All of these companies that provide these products and services should be more open with the information that they have and take responsibility for their design flaws.

They only release the information if they can insure liability can be placed elsewhere. It's like your afraid to tell anyone there's a fire because you're not sure your the one that started it.

Too bad there isn't a law that protects the end users from faulty software.

IE parasite won't be removed!

A site called "Handy Search" is attached to my IE and I cannot get rid of it. By opening with my ISP or with Yahoo I avoid the parasite but it is still an invader. Any suggestions?

So typical

I like Microsoft Windows but it seems they cannot get it right. What?s up with the continuous onslaught of security problems? Every time I turn on the computer there is another up date or warning about yet another security issue or another possible attack, and the news only comes after the facts. Dose anybody at Microsoft ever consider these things when they write this stuff? Or is it job time security and not computer security that?s the issue? Will someone please tell Bill Gates that after all these years of development (at the public?s expense) and the unknown amount of Moines paid for a crash out of the box system that is guaranteed to cost you all your data (TIME) that we deserve something that works! I bet Bill uses Linux at home