During the weekend of March 25-26, malware hunters discovered more than 200 unique URLs using the unpatched IE flaw to launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.

http://www.eweek.com/article2/0,1895,1943450,00.asp

During the weekend of March 25-26, malware hunters discovered more than 200 unique URLs using the unpatched IE flaw to launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.[/url]Good heavens... I am sooooo glad I use Firefox.

Updated: Microsoft confirms a wave of drive-by downloads targeting a zero-day browser vulnerability and says Internet Explorer users can expect a patch on April 11, if not sooner.


3 comments posted
Add your opinion


Malicious hackers are using hijacked Web servers and compromised sites to launch a wave of zero-day attacks against an unpatched flaw in Microsoft's Internet Explorer browser.
ADVERTISEMENT

The first wave of drive-by downloads was spotted on March 25, and security experts tracking the attack say the threat is growing at a rate of 10 new malicious URLs every hour.

http://www.eweek.com/article2/0,1895,1942566,00.asp

Let's see here... the problem is growing at the rate of 10 new malicious URLs per hour, and Microsoft says we're on our own until probably April 11. Have I mentioned lately how glad I am that I use Firefox?

Let's see here... the problem is growing at the rate of 10 new malicious URLs per hour, and Microsoft says we're on our own until probably April 11. Have I mentioned lately how glad I am that I use Firefox? Don't worry. Somebody will figure out how to get around your defenses and produce a cheap spyware kit or root kit to attack the hole :)

David H.

Don't worry. Somebody will figure out how to get around your defenses and produce a cheap spyware kit or root kit to attack the hole :)You're such a comfort, David...

You're such a comfort, David...

Judy

http://blogs.pcworld.com/staffblog/archives/001747.html

Third party patches for IE are a short-term kludge for MR BILL's latest mess.

Refusing to use IE is an even better solution.

Refusing to use IE is an even better solution.

IE is still in use? <g>

IE is still in use? <g>By some foolish mortals...

By some foolish mortals...
Hey, there are some web sites that require it, and that I am required to use. :(

--Lindsey

Hey, there are some web sites that require it, and that I am required to use. :( :( indeed. I simply refuse to use websites that require IE, and, fortunately, none of the ones that require it are ones I have to use.

By some foolish mortals...

Hay, it works! Behind a router, a software firewall, and a daily updated AV...

- Yeff

Hay, it works! Behind a router, a software firewall, and a daily updated AV...And if that's not enough, we'll put together a whole new OS you can get... after buying new hardware...

:( indeed. I simply refuse to use websites that require IE, and, fortunately, none of the ones that require it are ones I have to use.
Actually, I can access the EpsonExpert site without IE. I only have to use IE if I actually want to download any of the information files that I came to the site to get. :rolleyes:

Some parts of the Federal Reserve web site are set up excusively for IE as well.

--Lindsey

Some parts of the Federal Reserve web site are set up excusively for IE as well.That's just plain wrong. It annoys me nooooooo end that the Government falls for this IE trap (crap?) all the time.

Some parts of the Federal Reserve web site are set up excusively for IE as well.That is excellent! Keep out all those Mac and Linux trouble-makers.

Obviously not worthy of full citizenship, either! http://www.desktoppublishingforum.com/bb/images/smilies/rolleyes.gif

That's just plain wrong. It annoys me nooooooo end that the Government falls for this IE trap (crap?) all the time.
What can I say? They want CONTROL, so they use ActiveX applications.

--Lindsey

That is excellent! Keep out all those Mac and Linux trouble-makers.
Yeah, not to mention all those Mozilla subversives...

--Lindsey

That is excellent! Keep out all those Mac and Linux trouble-makers.

Obviously not worthy of full citizenship, either! http://www.desktoppublishingforum.com/bb/images/smilies/rolleyes.gif Maybe keep the MacIntosh. Motherhood and apple pie, y'know.

David H.

I know why they do it... but it's still stooooopid.

I know why they do it... but it's still stooooopid.
Annoying, at the very least. I don't know just what to think of the Federal Reserve's development department. They've only just in the last year implemented an ACH application that wasn't DOS dependent. They'd only been working on it for some 5 years. (I think the real problem was the many security holes in Windows. When you're moving tons of money around the country every day, you don't want a system that has security holes.)

--Lindsey

You'd think that if security was the big issue, MSIE would be the last thing they'd want to code for or require of their users...

You'd think that if security was the big issue, MSIE would be the last thing they'd want to code for or require of their users...
You would, wouldn't you? But you should see the way they have layered security around their ACH operation. Physical tokens, multiple complex passwords, at least one of which requires frequent changes, special connection applet, access restricted by IP address -- it's enough to drive you batty.

--Lindsey

you should see the way they have layered security around their ACH operation. Physical tokens, multiple complex passwords, at least one of which requires frequent changes, special connection applet, access restricted by IP address -- it's enough to drive you batty.I do understand why they're doing that, but...

I do understand why they're doing that, but...
They even had the progress chart set up so that the password had to be changed monthly. (This was an area where you went during the implementation period to check off the various steps you had completed, complete surveys, etc. If you didn't check off the steps by the deadline the Fed had set for you, you got automated delinquency e-mails from them.) In the course of the implementation and testing, I had to change my password three times. I thought that was just a bit over the top. I mean, geez, this was nothing to do with moving money around, it was just marking checkboxes on the calendar.

--Lindsey

I mean, geez, this was nothing to do with moving money around, it was just marking checkboxes on the calendar.That is just a bit over the top, yes.

They even had the progress chart set up so that the password had to be changed monthly

I can imagine the highly secure passwords that resulted, meeting all the security criteria of minimum length 8 characters, mixed upper and lower case alphabetic, at least one digit, at least one special character, changed monthly, no previously used password may be reused... Nobody would ever guess something that secure:

$Jan_2006 $Feb_2006 $Mar_2006 $Apr_2006 ....


-- sidney

$Jan_2006 $Feb_2006 $Mar_2006 $Apr_2006 ....
LOL!! I'm sure you are right about that. I periodically caution our own users against things like that, try to give them tips about constructing good passwords that are fairly easy to remember, but I know from what I see on the "failed login" report that I get every day, a lot of them pay absolutely no attention. (I know that, because hardly a day goes by without someone mistakenly keying his/her password into the UserID field, which is printed on the report, even though passwords are not, so I have a pretty good idea what sorts of passwords they're using. <sigh>)

--Lindsey

I know from what I see on the "failed login" report

Does access to the failed login reports require sysadmin level security clearance? Is your level of access supposed to allow you into everyone's accounts or is that just a side effect of "We don't show passwords in failed login attempts so it isn't sensitive information" ?

-- sidney

Does access to the failed login reports require sysadmin level security clearance?
Basically, yes. I get those reports because I'm responsible for monitoring security on our main computer.

Is your level of access supposed to allow you into everyone's accounts or is that just a side effect of "We don't show passwords in failed login attempts so it isn't sensitive information" ?
The latter; and that's one reason I shred the reports when I'm through with them.

The only way I'd have access to someone else's account would be to change its password, and that activity would be reported on another security report. Since I'm not the only one who sees those (they're under dual control like any other sensitive thing), somebody would likely notice...

--Lindsey