[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <freemail.20040510101421.26543@fm4.freemail.hu>
From: etomcat at freemail.hu (Feher Tamas)
Subject: FD info prompts M$ to summon the FBI on spy-vertisers
http://zdnet.com.com/2100-1105-5229707.html
IE flaws used to spread pop-up toolbar
by Robert Lemos, CNET News, 09 June 2004
An adware purveyor has apparently used two previously unknown
security flaws in Microsoft's Internet Explorer browser to install a
toolbar on victims' computers that triggers pop-up ads, researchers
said this week.
One flaw lets an attacker run a program on a victim's machine, while
the other enables malicious code to "cross zones," or run with
privileges higher than normal. Together, the two issues allow for the
creation of a Web site that, when visited by victims, can upload and
install programs to the victim's computer, according to two analyses of
the security holes.
The possibility that a group or company has apparently used the
vulnerabilities as a way to sneak unwanted advertising software, or
adware, onto a user's computer could be grounds for criminal charges,
said Stephen Toulouse, security program manager for Microsoft.
"We consider that any use of an exploit to run a program is a criminal
use," he said. "We are going to work aggressively with law
enforcement to prosecute individuals or companies that do so."
Microsoft learned of the issue when a security researcher posted an
analysis of the problem to the Full Disclosure security mailing list
Monday. The software giant has already contacted the FBI and is in
the "early stages" of building the case, Toulouse said. The company is
considering creating a patch quickly and releasing it as soon as
possible, rather than waiting for its usual monthly update.
The flaws are apparently being used to install the I-Lookup search bar,
an adware toolbar that is added to IE's other toolbars. The adware
changes the Internet Explorer home page, connects to one of six
advertising sites and frequently displays pop-ups--mainly pornographic
ads, according to an adware advisory on antivirus company Symantec's
Web site.
On Tuesday, security information group Secunia released an advisory
about the problem, rating the two flaws "extremely critical."
"Secunia has confirmed the vulnerabilities in a fully patched system with
Internet Explorer 6.0," the group wrote. "It has been reported that the
preliminary SP2 (a major security update being developed by Microsoft)
prevents exploitation by denying access."
The flaws could let any attacker with a Web site send an e-mail
message or an instant message with a link that, when clicked on by an
Internet Explorer user, would cause a program to run on that victim's
computer.
The original analysis, written by a Netherland student researcher,
Jelmer Kuperus, who found that the type of programming needed to
take advantage of at least one of the flaws required sophisticated
knowledge of the Windows operating system.
"While sophisticated, it's so easy to use, anyone with basic computer
science can set up such a page, now that the code is out there in the
open," Kuperus wrote in an e-mail interview with CNET News.com. "It's
just a matter of changing two or three (Internet addresses) and
uploading another" executable file.
Kuperus, who used an e-mail account based in the Netherlands, wrote
in a Monday e-mail that he had been tipped off to the adware Trojan
horse by an unnamed individual.
"Being rather skeptical, I carelessly clicked on the link only to witness
how it automatically installed adware on my PC!" he wrote.
The Internet address from which the adware Trojan horse was
downloaded resolves to I-Lookup.com, a search engine registered in
Costa Rica that antivirus firms Symantec and PestPatrol have linked to
aggressive advertising software. Two of the top three searches on the
site relate to removing such programs, according to I-Lookup.com's
own statistics.
A domain name search shows i-Lookup.com's parent company to be
Aztec Marketing, but Pest Patrol links the site with iClicks Internet. E-
mails sent to both companies for comment were not immediately
answered.
Kuperus believes that i-Lookup.com's parent company may not be
directly responsible for the adware-installing Trojan horse program, but
that it could be rewarding the creator through an affiliate program.
"It does pass along a referrer code when downloading," he
said. "Whomever created this probably is getting money for every
install, so if the folks at (i-Lookup.com) would be willing, they would be
able to track down the perpetrators."
Microsoft's Toulouse said Internet Explorer users could harden the
software against such attacks by following instructions on the
company's site. Other browsers available on Windows, such as Opera
and Mozilla, do not contain the flaws.
Powered by blists - more mailing lists