Full Disclosure mailing list archives
Web sites compromised by IIS attack
From: "TIERNAN RAY, BLOOMBERG/ NEWSROOM:" <TRAY2 () bloomberg net>
Date: Wed, 30 Jun 2004 16:58:50 -0400
Microsoft Says Hackers Exploit Server, Browser Flaws (Update2) (Adds comments from Network Associates, Symantec in eighth, 12th paragraphs.) By Tiernan Ray and Vivek Shankar June 25 (Bloomberg) -- Microsoft Corp., the world's largest software maker, said the combination of a newly found flaw in its Internet browser program and one in its Web server software lets hackers take over personal computers. The new flaw in Microsoft's Internet Explorer Web browser was revealed on Internet mailing lists on June 8, and the company is rushing to create a fix, said Stephen Toulouse, security program manager. Sites running Microsoft server software, such as the Kelley Blue Book, were infected with malicious code. The combined attack on its server and browser software presents Microsoft with a mystery. Hackers were able to insert computer code into Web pages served up by Microsoft's ``IIS'' Web server software. The inserted code takes control of PCs running Internet Explorer, Toulouse said. The company is trying to determine how hackers gained access to the Web servers. ``Any time our customers are under attack, it's on the table to provide an update ahead of the regular update,'' he said, when asked when the company would provide a fix for Internet Explorer. He was referring to the regular Microsoft security updates that occur every second Tuesday of the month. ``Our site was infected,'' said Robyn Eckard, a spokeswoman for Kelley Blue Book, an automotive pricing site at http://www.kbb.com. Users tipped off the site Wednesday that one of 15 Web servers running Microsoft's IIS was infected, she said. Infected Pages The infected pages were replaced and the site was restored to normal function by Thursday morning, she said. Kelley Blue Book is monitoring the site for any further attack and is awaiting instructions from Microsoft, Eckard said. The attack places a program on personal computers that can steal passwords from the machines, said Vince Gullotto, vice president of the McAfee anti-virus software division at Santa Clara, California-based Network Associates Inc. ``I'm not even sure there's a word for what's happening,'' Gullotto said. Although neither the server nor the browser attack is new, the combination doesn't fit with standard examples of computer viruses and worms, he said. The McAfee group is researching samples of computer code obtained from clients to understand the nature of the attacks, Gullotto said. The attacks appear not to be widespread, he said. Microsoft said the compromised Web servers weren't updated with a software fix the company issued on April 13, Toulouse said. The company also said it doesn't know if the fix would have averted the attacks. April Patch ``Our investigation has revealed that servers compromised did not have'' the fix, he said. The April patch addressed more than one problem with Microsoft software. ``The far greater danger here is the problem with Internet Explorer,'' said Alfred Huger, a researcher with Cupertino, California-based Symantec Corp., the largest maker of anti-virus software. ``The number of people using browsers is much larger than the number of servers that could be affected,'' he said. The U.S. Department of Homeland Security's Computer Emergency Readiness Team issued an alert on its Web site recommending computer users turn off their browser's ability to use JavaScript, the code it claimed hackers are using to compromise Web pages. ``US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary,'' said the notice. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Web sites compromised by IIS attack TIERNAN RAY, BLOOMBERG/ NEWSROOM: (Jun 30)