BBC stories used as bait for IE exploit

By Joris Evers
Staff Writer, CNET News

4 comments

Related Stories: Second unofficial fix plugs IE hole
March 28, 2006; Microsoft mulls rushing out IE patch
March 24, 2006; Another IE bug hits Microsoft
March 21, 2006; Pop-up program reads keystrokes, steals passwords
June 29, 2004

Cybercrooks are spamming e-mail messages to trick people into visiting malicious Web sites that exploit a recent Internet Explorer flaw, experts warned Thursday.

The Web sites take advantage of the vulnerability in the omnipresent Microsoft Web browser to install a keystroke logger on vulnerable computers, according to San Diego-based Websense Security Labs.

"This keylogger monitors activity on various financial Web sites and uploads captured information back to the attacker," Websense said in an alert. The malicious software could capture log-in names and passwords for the sites, information criminals could sell or possibly use to plunder a victim's account.

The e-mail messages used to lure people to the Web sites contain excerpts from BBC news stories and offer a link to "read more," Websense said. This link leads to a forged BBC Web page where the malicious software is dropped onto a vulnerable PC by exploiting the "createTextRange()" vulnerability in IE, according to Websense's alert.

The vulnerability has to do with how Internet Explorer handles the createTextRange() tag in Web pages. Since the flaw was disclosed publicly last week, more than 200 Web sites have been found to exploit it. These sites typically install spyware, remote control software and Trojan horses on vulnerable PCs.

Microsoft has said it is working on a fix for the browser. That update is currently scheduled for delivery April 11, Microsoft's regular monthly patch day. However, the Redmond, Wash., company has said it's considering an earlier release.

Meanwhile, two security companies have beaten Microsoft to the punch. eEye Digital Security and Determina both released unofficial fixes for the IE flaw earlier this week. Experts, however, have warned users to be cautious with non-Microsoft fixes and instead suggest using a Web browser other than IE, or disabling Active Scripting, which is also Microsoft's advice.

See more CNET content tagged:
Websense Inc., spamming, malicious software, flaw, vulnerability

Add a Comment (Log in or register) (4 Comments)

Nothing fresh here

by n3td3v March 30, 2006 7:38 PM PST

Nothing fresh in this article apart from what we already found out when Websense sent the industry an e-mail alert some 4 and a half hours ago. Maybe Cnet just re-publish Websense e-mail alerts when they get bored on a Thursday evening.

Reply to this comment

Which makes them.........
by PlOtTiNg March 31, 2006 6:28 AM PST: No different than you and your elite hacker group!

Regurgitation of everyone else's research.; View reply Hide reply
Processing

(4 Comments)

Latest tech news headlines

Twitter, LinkedIn team up for self-promotion free-for-all
Posted in The Social by Caroline McCarthy

November 9, 2009 10:46 PM PST
'Elf Yourself' returns with Facebook and Twitter power
Posted in The Social by Caroline McCarthy

November 9, 2009 9:18 PM PST
Justice Dept. asked for news site's visitor lists
Posted in News - Politics and Law by Declan McCullagh

November 9, 2009 9:10 PM PST
See all headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets: Market news, charts, SEC filings, and more; Related quotes; Microsoft (1.65%) 0.47 28.99; WEBSENSE INC (1.45%) 0.23 16.13; Dow Jones Industrials (2.03%) 203.52 10,226.94; S&P 500 (2.22%) 23.78 1,093.08; NASDAQ (1.97%) 41.62 2,154.06; CNET TECH (2.03%) 31.22 1,569.62

Inside CNET News

Scroll Left Scroll Right

The Web Services Report
Microsoft releases SDK for Facebook
The software giant releases a software development kit for Facebook, allowing developers to make applications for the social-networking site with Silverlight and WPF.
Gallery
Images: Firefox through the ages
Technically Incorrect
In Apple parody, Florida says 'there's no app for this'
It seems that everyone is getting at Apple these days. A new ad campaign from the Florida Keys and Key West suggests there's no app for the wonderful experience of being there.
Beyond Binary
Microsoft releases Exchange 2010, acquires Teamprise
At TechEd Europe, Redmond offers the latest on its e-mail and calendar server. Meanwhile, it also scoops up a developer tool for creating code in multiple OSes.
Video
Exploratorium's shocking 40th anniversary kicks off
Technically Incorrect
New Verizon ad pushes Droid's manly side
In its latest spot, Verizon's Droid is declared to be a robotphone, while the iPhone resembles something that can only be for girls.
Video
A new workout for the Wii
The Social
Twitter, LinkedIn team up for self-promotion free-for-all
Partnership means that status messages can be interchangeable between the two: great for all those marketers who use the two to broadcast their own brands.
Cutting Edge
Winner declared in space elevator race
LaserMotive wins $900,000 in NASA's Space Elevator challenge, where teams compete to see who could drive their space elevator the fastest.
Gallery
Photos: Top-rated reviews of the week
Crave
Ricoh goes modular for GXR camera system
Rather than interchangeable lenses, Ricoh's new system uses sealed modules combining a lens and sensor. But will its high price render the whole thing a nonstarter?
The Car Tech blog
2010 Tesla Roadster Sport first drive
CNET Car Tech spends time with the 2010 Tesla Roadster Sport.