[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Web sites compromised by IIS attack
- To: FULL-DISCLOSURE@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] Web sites compromised by IIS attack
- From: "TIERNAN RAY, BLOOMBERG/ NEWSROOM:" <TRAY2@xxxxxxxxxxxxx>
- Date: Wed, 30 Jun 2004 16:58:50 -0400
Microsoft Says Hackers Exploit Server, Browser Flaws (Update2)
(Adds comments from Network Associates, Symantec in eighth,
12th paragraphs.)
By Tiernan Ray and Vivek Shankar
June 25 (Bloomberg) -- Microsoft Corp., the world's largest
software maker, said the combination of a newly found flaw in its
Internet browser program and one in its Web server software lets
hackers take over personal computers.
The new flaw in Microsoft's Internet Explorer Web browser was
revealed on Internet mailing lists on June 8, and the company is
rushing to create a fix, said Stephen Toulouse, security program
manager. Sites running Microsoft server software, such as the
Kelley Blue Book, were infected with malicious code.
The combined attack on its server and browser software
presents Microsoft with a mystery. Hackers were able to insert
computer code into Web pages served up by Microsoft's ``IIS'' Web
server software. The inserted code takes control of PCs running
Internet Explorer, Toulouse said. The company is trying to
determine how hackers gained access to the Web servers.
``Any time our customers are under attack, it's on the table
to provide an update ahead of the regular update,'' he said, when
asked when the company would provide a fix for Internet Explorer.
He was referring to the regular Microsoft security updates that
occur every second Tuesday of the month.
``Our site was infected,'' said Robyn Eckard, a spokeswoman
for Kelley Blue Book, an automotive pricing site at
http://www.kbb.com. Users tipped off the site Wednesday that one
of 15 Web servers running Microsoft's IIS was infected, she said.
Infected Pages
The infected pages were replaced and the site was restored to
normal function by Thursday morning, she said. Kelley Blue Book is
monitoring the site for any further attack and is awaiting
instructions from Microsoft, Eckard said.
The attack places a program on personal computers that can
steal passwords from the machines, said Vince Gullotto, vice
president of the McAfee anti-virus software division at Santa
Clara, California-based Network Associates Inc.
``I'm not even sure there's a word for what's happening,''
Gullotto said. Although neither the server nor the browser attack
is new, the combination doesn't fit with standard examples of
computer viruses and worms, he said.
The McAfee group is researching samples of computer code
obtained from clients to understand the nature of the attacks,
Gullotto said. The attacks appear not to be widespread, he said.
Microsoft said the compromised Web servers weren't updated
with a software fix the company issued on April 13, Toulouse said.
The company also said it doesn't know if the fix would have
averted the attacks.
April Patch
``Our investigation has revealed that servers compromised did
not have'' the fix, he said. The April patch addressed more than
one problem with Microsoft software.
``The far greater danger here is the problem with Internet
Explorer,'' said Alfred Huger, a researcher with Cupertino,
California-based Symantec Corp., the largest maker of anti-virus
software. ``The number of people using browsers is much larger
than the number of servers that could be affected,'' he said.
The U.S. Department of Homeland Security's Computer Emergency
Readiness Team issued an alert on its Web site recommending
computer users turn off their browser's ability to use JavaScript,
the code it claimed hackers are using to compromise Web pages.
``US-CERT recommends that end-users disable JavaScript unless
it is absolutely necessary,'' said the notice.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html