lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2960_5118_1088629130_483@inet3-p057>
From: TRAY2 at bloomberg.net (TIERNAN RAY, BLOOMBERG/ NEWSROOM:)
Subject: Web sites compromised by IIS attack


Microsoft Says Hackers Exploit Server, Browser Flaws (Update2)

     (Adds comments from Network Associates, Symantec in eighth,
12th paragraphs.)

By Tiernan Ray and Vivek Shankar
     June 25 (Bloomberg) -- Microsoft Corp., the world's largest
software maker, said the combination of a newly found flaw in its
Internet browser program and one in its Web server software lets
hackers take over personal computers.
     The new flaw in Microsoft's Internet Explorer Web browser was
revealed on Internet mailing lists on June 8, and the company is
rushing to create a fix, said Stephen Toulouse, security program
manager. Sites running Microsoft server software, such as the
Kelley Blue Book, were infected with malicious code.
     The combined attack on its server and browser software
presents Microsoft with a mystery. Hackers were able to insert
computer code into Web pages served up by Microsoft's ``IIS'' Web
server software. The inserted code takes control of PCs running
Internet Explorer, Toulouse said. The company is trying to
determine how hackers gained access to the Web servers.
     ``Any time our customers are under attack, it's on the table
to provide an update ahead of the regular update,'' he said, when
asked when the company would provide a fix for Internet Explorer.
He was referring to the regular Microsoft security updates that
occur every second Tuesday of the month.
     ``Our site was infected,'' said Robyn Eckard, a spokeswoman
for Kelley Blue Book, an automotive pricing site at
http://www.kbb.com. Users tipped off the site Wednesday that one
of 15 Web servers running Microsoft's IIS was infected, she said.

                          Infected Pages

     The infected pages were replaced and the site was restored to
normal function by Thursday morning, she said. Kelley Blue Book is
monitoring the site for any further attack and is awaiting
instructions from Microsoft, Eckard said.
     The attack places a program on personal computers that can
steal passwords from the machines, said Vince Gullotto, vice
president of the McAfee anti-virus software division at Santa
Clara, California-based Network Associates Inc.
     ``I'm not even sure there's a word for what's happening,''
Gullotto said. Although neither the server nor the browser attack
is new, the combination doesn't fit with standard examples of
computer viruses and worms, he said.
     The McAfee group is researching samples of computer code
obtained from clients to understand the nature of the attacks,
Gullotto said. The attacks appear not to be widespread, he said.
     Microsoft said the compromised Web servers weren't updated
with a software fix the company issued on April 13, Toulouse said.
The company also said it doesn't know if the fix would have
averted the attacks.

                            April Patch

     ``Our investigation has revealed that servers compromised did
not have'' the fix, he said. The April patch addressed more than
one problem with Microsoft software.
     ``The far greater danger here is the problem with Internet
Explorer,'' said Alfred Huger, a researcher with Cupertino,
California-based Symantec Corp., the largest maker of anti-virus
software. ``The number of people using browsers is much larger
than the number of servers that could be affected,'' he said.
     The U.S. Department of Homeland Security's Computer Emergency
Readiness Team issued an alert on its Web site recommending
computer users turn off their browser's ability to use JavaScript,
the code it claimed hackers are using to compromise Web pages.
     ``US-CERT recommends that end-users disable JavaScript unless
it is absolutely necessary,'' said the notice.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ