New exploit targets IE 7 hole patched last week

Cybercriminals are exploiting a critical hole in Internet Explorer 7 that was patched a week ago by Microsoft, security firm Trend Micro warned on Tuesday.

The malicious code, which Trend Micro named "XML_DLOADR.A," is hidden in a Word document. On unpatched systems, when the file is opened an ActiveX object automatically accesses a Web site to open a backdoor that installs a .DLL (dynamic link library) file that can steal information, according to a Trend Micro blog entry. The code sends stolen data to another Web address via port 443, Trend Micro said.

As a result of the back door, "anybody can run commands on the affected system," said Jamz Yaneza, a senior threat analyst and researcher at Trend Micro.

Microsoft released a security patch for the vulnerability, and others, a week ago. The vulnerability arises from the browser's improper handling of errors when attempting to access deleted objects.

"It looks like a proof of concept or targeted attack," Yaneza said. The exploit is similar to politically motivated attacks that were seen before the Olympics last year in which PDF files and Word documents contained exploit code and automatically connected computers to malicious Web sites, he said.

It appears that the site directed to is in China and there is Chinese terminology in the code, according to Yaneza. That and the fact that the 50th anniversary of the Tibetan uprising is approaching, on March 10, suggests that this attack could be politically motivated as well, he said.

"People need to speed up how they patch their OSes, or turn on auto update in Windows," Yaneza said.

This graphic shows how the new IE7 exploit code works to install a backdoor on an unpatched computer.

(Credit: Trend Micro)

[Imalittleteapot]

You can't really help people if they don't patch their OS. A non-issue. If it was an issue that un-patched systems can be hacked then I'd be more worried about all the viruses out there that attack Windows XP SP1 or RTM. There's probably a lot of more of those still circulating out there, but since those are already patched we don't talk about those right? Well, this is already patched. Run Windows Update and be done with it.

[The_happy_switcher]

And what about those people who have already been hacked before the patch was available? I guess they're just f****d courtesy of Microsoft, right?

[bananaphonerules]

[AppleRocks1963]
And Apple is better at security and disclosure?

Ignoring their past mistakes, you can't fault Microsoft's openess and focus on security in the last 2 years.
I'm happy they are learning and moving forward.

Its 2009 not 1963 ;-)

[Imalittleteapot]

AppleRocks1963 You know what they might do? Instead of buying Windows over and over and over and over and then complaining about when they get hacked and hacked and hacked and then continuing to buy Windows. Perhaps these people should switch OSes.

[Mr. Dee]

2001 Mac OS X 10.0 - $129
2001 Mac OS X 10.1 - $19
2002 Mac OS X 10.2 - $129
2003 Mac OS X 10.3 - $129
2004 Mac OS X 10.4 - $129
2005 Mac OS X 10.5 - $129

Total: $664

2001 Windows XP - $99 Upgrade

Windows XP SP3 vs. Mac OS X (10.0) - you tell me which one is secure and cheaper? It surely can't be the OS that Apple made obsolete with the next release a few months down the line.

Didn't Apple release some updates the other day that turned their OS into a ROCK?

[random truth]

lol, mr. dee.
I cant stop laughing at you. You are comparing 5 os releases verses one oem upgrade. Are you for real. All that is showing is that microsoft is slow at developement. Lets count the features that cost extra on windows. Since you are doing an 1 oem install of windows we can say that you wont have any programs included with the computer because oem xp disks dont let you just update.
-Dvd Playback - $40-$20
-File Vault which would require a more expensive version of windows to get bitlocker...
-Disk Utility, One of the most powerful partition editors I have ever used right next to fdisk. Would cost $20+
-Spaces, A virtual desktop app, Require an app that is $15+
-Time Machine Backup, To get an app even close would require a payment of $15+
-Anti Virus software, their are only two viruses that have worked in 10.0 and both were proof of concept. You take a performance hit and a price hit if you dont use free ones.
-Higher minum requirements required hardware upgrade $150 +

See I can go on for at least 10 pages. If you want to include 10.5 you must also include vista Ultimate $400.

[Vegaman_Dan]

Applerocks1963:

"And what about those people who have already been hacked before the patch was available? I guess they're just f****d courtesy of Microsoft, right? "

The exploit was created a week *after* the hole was already patched by the OEM. Unless you know how to travel through time, then nobody had their system hacked before the patch was available. It's right there in the story if you read it completely.

Also, profanity, no matter how much you try to hide it, is not acceptable behavior on this board. Please curtail your usage accordingly.

[ferretboy88]

I just picked up Vista home premium for $79 no tax or shipping. That is less then OSX. I more then got my moneys worth out of xp. Paid $200 for it 4 years ago and still use it. I never had my computer hacked or personal info taken. I also don't go on Russian porn sites I'm sure that helps.

[homercles82]

"by random truth February 17, 2009 8:58 PM PST
lol, mr. dee.
I cant stop laughing at you. You are comparing 5 os releases verses one oem upgrade. Are you for real. All that is showing is that microsoft is slow at developement. Lets count the features that cost extra on windows. Since you are doing an 1 oem install of windows we can say that you wont have any programs included with the computer because oem xp disks dont let you just update.
-Dvd Playback - $40-$20
-File Vault which would require a more expensive version of windows to get bitlocker...
-Disk Utility, One of the most powerful partition editors I have ever used right next to fdisk. Would cost $20+
-Spaces, A virtual desktop app, Require an app that is $15+
-Time Machine Backup, To get an app even close would require a payment of $15+
-Anti Virus software, their are only two viruses that have worked in 10.0 and both were proof of concept. You take a performance hit and a price hit if you dont use free ones.
-Higher minum requirements required hardware upgrade $150 +

See I can go on for at least 10 pages. If you want to include 10.5 you must also include vista Ultimate $400. "

You can find free, highly functional and easy to use programs that you listed above on download.cnet.com

You cannot win this.

[tcr071]

You have to be doing something stupid to get the .doc onto your computer in the first place. Not like any regular person out there surfing the web can have this happen to them even IF they aren't patched.

[b_baggins]

@mrdee,

So, now it's a bragging point that MS couldn't get an OS out the door for 5 years because it means you saved money? Because, of course we all know that Apple never releases a security update for any of their operating systems but makes you go out and buy a new version, and that if you don't buy every version the day it is released, the Apple police come to your house and confiscate your Macintosh.

Continuing evidence that just because you've been given a brain does not mean you've been trained in its use.

[SactoGuy018]

The nice thing about Windows XP SP2 and Windows Vista is that by default they force users to install the latest security updates on an as-needed basis. As such, I have this update installed, along with additional protection from Windows Defender and the commercial Norton Internet Security 2008 security suite.

[Penguinisto]

Weee! another result of bad design (really - a document that can contain executables? ***?)

[this1!]

yea, makes me really glad i use openoffice and dont use crap like docx ever...

[kojacked]

@Peng: "(really - a document that can contain executables? ***?)"

The article didn't say executable -- you did. Here's what it actually said: "when the file is opened an ActiveX object automatically accesses a Web site". Word allows controls and ActiveX objects to be embedded in documents for use in forms and workflow automation.

Keep the FUD coming... The year of the Linux Desktop is just around the corner!

[Imalittleteapot]

Yeah having code and scripts in a document, while cool and all, is about the dumbest thing ever invented security wise.

[kojacked]

@TeaPot:

It's call Micosoft Office for a reason. Used by Office people for office stuff. Do you think they care what you think about their desire for automating dreary office tasks? Hell they might as well go back to pen and paper with your line of reasoning. It sure is safer!

[Imalittleteapot]

kojacked Well that was pleasant. I use Office you know. I have scripts in some of my documents. From a security point of view it is about the dumbest thing ever invented, but only from a security point of view. From an entirely different point of view it obviously useful or we wouldn't have it.

I know my comment was only one sentence long, but hey at least try to read all of it.

[Vegaman_Dan]

Please read the article before posting. Your comment was in error.

[gofalcons]

hey pen, wheres the apple patch to fix the poor design on osx where its useless in the workplace, and the patch for poor software availability, or what about the patch to lower to price of an overpriced computer that does half the work.............keep crying about viruses, and ill keep working away on my windows pc, making money, since apple cant do that.

[Penguinisto]

@kojacked - go look up ActiveX and get back to us, mm'kay?

Thx in advance,
/P

[kojacked]

@Peng:

I did: http://en.wikipedia.org/wiki/Activex

You fail.

[mdwstmusik]

@gofalcons
"hey pen, wheres the apple patch to fix the poor design on osx where its useless in the workplace, and the patch for poor software availability, or what about the patch to lower to price of an overpriced computer that does half the work.............keep crying about viruses, and ill keep working away on my windows pc, making money, since apple cant do that."

Translation: Oh yea, if you don't like Windows, then you're just a big doody-head!

Great argument.

[eltoro2827]

Whee.......and apple is also well on their way as well.

[Penguinisto]

Really? please, show us where and how, if you can.

[wolivere]

So you need to be unpatched, you need to open a .doc from an unknow user, and then you need to have port 443 open on your firewall. I guess it can happen, but then again its like the old horse water thing right?

[Vegaman_Dan]

You forgot also to add that you need to travel through time since the hole was patched a week before the exploit.

People who don't patch their systems or keep them up to date really need better education in basic system maintenance. OS X, Linux, WIndows- they all have update serviecs avaialble and there really is no excuse to not have them running.

[tm_anon]

On Linux, updates aren't annoying. I just installed some updates while reading this article and I didn't have to reboot and they didn't slow my computer down.

When I used XP, I had auto-update running. I would get my updates and install them immediately like a good boy and my treat was having to stop what I was doing and reboot each and every time. In addition, even though those updates run in the "background", they slowed my productivity down. Then, if I wanted to finish what I was doing first, I'd have the "restart now/ restart later" dialogue box pop up every few minutes over what I was working on.

I haven't used OS X so I can't speak for Mac users, but for Windows, the auto-update feature needs to be fixed. Just like UAC, auto-update in Windows is incredibly annoying.

[wolivere]

Odd I just patched my Ubuntu and I had to reboot, and once again I lost my video config. Patching in Windows is pretty painless also.

I would say 1/5 to 1/4 of my Linux patch's require a reboot, which is a little lower then windows. But again it does patch and it does nag you and it takes what a few minutes to reboot?

In the corp world most companies test patch's first they need to get them past CAB. Then need to prep them to roll out. So yes in the corp world there is a delay. But also in worlds that have such process's they also have things like .doc attachments are stripped on the way in, ports are locked down. They run AV applications, they have ID/IP/HID/SID, content filtering, ARS running. In other worlds Corps that have the ITIL/SOX measures in place are most likely not going to worry much about this.

[random truth]

@wolivere
The script probably opens port 443 on your router with UPnP.

[tcr071]

That is very odd because I just noticed that 7 had finished installed an update for me. I never knew it was happening. How intrusive... sneaking around...

[ferretboy88]

Nobody in their right mind ever paid $400 for Vista. Newegg and other online stores has is with no tax(NY) or shipping(to NY) for $79-$129. I was stupid enough to pay $109 for OSX and it didn't even come with iLife. I should have just just taken it from bittorrent like most mac fans.

[tcr071]

No, you should have gone to a nearby college and paid some kid to get you a unlimited install coy for $25.

[Dalkorian]

Do you think anyone really believes the lies you spew forth like filth from a broken sewer line, Ferretboy?

[handicappedpets]

If the backdoor has already been installed, will download the patch solve the problem or does the patch only work if the 'hole' is closed BEFORE the malicious code is installed?

Mark C. Robinson
HandicappedPets.com

[Penguinisto]

So let's see... while Windows machines by the legion are being owned (again), we get the following excuses:

"You forgot also to add that you need to travel through time since the hole was patched a week before the exploit. " -and- "People who don't patch their systems or keep them up to date really need better education in basic system maintenance."

This apologist falsely assumes that everyone applies a patch immediately after it is released. He also falsely assumes the the exploit was released and utilized exactly one week after the patch, when it has most likely been in use within 24 hours of said patch.

So why not just patch that day and be done? Well... you don't do that for anything but your home systems if you want to keep your computer running, unless you understand exactly what is being patched, every time. Given any vendor's ongoing history of having patches break things, any professional that 'panic-patches' business systems without testing (esp. within 24 hours) is usually bound to get fired. You have to test the patch first. This provides a window of opportunity for the malware kiddies. This window is usually 1-2 weeks at most, depending on workload and criticality. We're still in that window.

"wheres the apple patch to fix the poor design on osx where its useless in the workplace"

This apologist has no answer at all to the basic question of why any vendor in their right mind would embed executable scripts into a document in the first place, so he/she/it decides to try to use handwaving and distraction.

"Whee.......and apple is also well on their way as well"

This apologist also tries handwaving, but does so in pure ignorance. When asked for some sort of evidence, he/she/it disappears.

So basically? Another Windows virus rampages throughout the world, and apologists have nothing to show for it.

/P

[Dalkorian]

Ouch Peng. You hurt yourself there. Do you see it? Come on Peng, I've defended you many times in the past and I *KNOW* you know better than this. Look again, I bet you catch it on your own.

Don't read the next paragraph, it's for the other dolts out there who won't get it. Ever.

Show me where opening a document to load the "goodies" inside is defined as a "virus". Or did I just miss the part where this thing self-propagates? What we have here looks to me like a trojan - one enabled by idiotic design enabling ActiveX scripts to run from text documents (ok, Word documents) and secretly open backdoors to the system - but a trojan nonetheless. It's easy to exploit on winblows because of poor design, but *nix (including OS X) wouldn't necessarily be protected against this in any significant way. User opens a document, script runs - end of story. It would be much harder to hide this in *nix (user would likely get a password prompt, which would raise alarms - unless something else was being exploited as well), but it's still possible.

Bottom line lesson here folks - patch those systems ASAP.

[tesseract7]

As a Mac owner, I am rather surprised you know what the word "apologist" actually means. After all, you're the same type of person that spends 2-5x more on a notebook for hardware, most of the time, that wouldn't be caught dead on anything above a middle of the line PC notebook, and then has the audacity to try and justify it.

I have a question for you then: why is it that Mac's are becoming more and more PC-like? You're no longer using your own hardware, you have your own versions of our 1ST PARTY software (i.e. Office), Windows is straight up bootable (something I thought would NEVER happen) on a Mac, etc. Why is that? Hmmmmmmm? AND your beloved company then charges you, like previously stated, two to five times as much! All for what? An OS that is boring, stagnant, ignorant and has absolutely no unique merits? Oh, except one:

Do you know why Mac OS seems so much easier to use, streamlined, blah blah blah...? I'll tell you, *ahem* ATTENTION ALL ********! There we go. The reason is.....OSX hides things and lies to you. Yeah, everything "feels" so streamlined and simple when they draw your attention away from the fact that you have no real control over the customization of your computer, by giving you pretty effects to play with.

Oh, and you whine that everyone does not apply a patch immediately after it is released? You have the stones to say something like that when site after site after site of Mac users drool over every single OS update, and then mindlessly PAY for what should be free incremental upgrades? Hahahahaha!

The whole point of this article is that THERE WASN'T ANY RAMPAGING VIRUS. Reading comprehension, go go go!

Oh, and if you didn't notice, I didn't say anything about Linux. That's because Linux doesn't and shouldn't count as a real Operating System...sorry, but it's true. Go ahead and make up whatever attacks you want on Windows, don't care at all. Linux is like the user-submitted game I download off of PSN, or Windows, on my PS3.

[mdwstmusik]

Applerocks1963:

"The exploit was created a week *after* the hole was already patched by the OEM."

Nowhere in the article does it say that the exploit was CREATED a week *after* the hole was patched. It says "Cybercriminals are exploiting a critical hole in Internet Explorer 7 that was patched a week ago by Microsoft." We have no knowledge regarding whether or not criminals were exploiting this critical hole before Microsoft released the patch.

[SlyCooper]

I wish someone would write some code that would detect words of 'Apple', 'Microsoft', and 'sucks' and simply remove any post. I can't read any post on any site these days due to flame wars arising at every article. Isn't anyone getting tired of this? Just STOP. No one cares about your opinion of which OS is better.

[IanX211]

agreed, everytime there's an article on the Internet about spyware, viruses, OS exploits, etc., the comments for the article becomes a PC/Windows v. Mac

[jammer066]

u people make me sick-u bicker back and forth about which is better-windows or oems.
the bottom line is-what do u like best
both work great-i should know-i use both
security software can be found free for both os systems-u don't have to pay if u don't won't to.
i run win xp sp2 and have had no problems what-so-ever
use avg, spybot, ad-aware, and several others on both systems( all FREE)

but if u want to continue bickering-be my guess.

when ur's done-u will know i'm right-both systems are fine and work great. If u get hacked-it's no ones fault but ur own.

and stay away from adult nude sites or any other nude sites and u won't have to worry.