Security threats Toolkit

Trojans target unpatched IE flaw

Tags:
Trojan

Tom Espiner ZDNet.co.uk

Published: 05 Dec 2005 15:05 GMT

Computer users have been warned that several Trojan horses that exploit an unpatched flaw in Internet Explorer have now been discovered.

Two exploits that use the recently disclosed vulnerability were reported by antivirus company Sophos on Friday. Called Clunky-B and Delf-LT, the exploits could allow malicious code to be executed remotely on a user's PC.

These Trojans could "download anything, including a 'banker Trojan' that gives up your bank details", according to a Sophos spokesperson.

Microsoft issued an advisory last week, on "the way Internet Explorer handles mismatched document object model objects". Systems running Microsoft Internet Explorer on Windows XP Service Packs 1 and 2 are vulnerable to attack. Machines running Windows 98, Windows 98 SE, Windows Me and Windows 2000 Service Pack 4 are also vulnerable to the exploits.

Microsoft is not due to issue another round of security patches until 13 December. Some security experts have suggested the company should roll out an unscheduled patch before this time to address this flaw. However, it's not clear whether the flaw will even be addressed in the next Microsoft security bulletin.

"We're working on a fix at the moment. I don't have confirmation that the patch will be available in the next round of updates, but we will include the fix in an upcoming security bulletin," said a Microsoft spokesperson.

The unpatched Internet Explorer vulnerability was first reported in May. The vulnerability was initially thought to only allow a denial-of-service attack, which would cause IE to crash.

Microsoft updated its advisory last week because "remote execution of code through this vulnerability [was found to be] possible. This is new information that's come about," said the spokesperson.

Sophos warned that the Trojans could be downloaded onto a user's computer if they visited a specially crafted Web site, and said it had found such a site. Sophos has refused to name the Web site in question, but it appears the threat to users at the moment is slight.

"It is not a hacked Web site which is in common usage — it is unlikely that someone would visit it unprompted," said Sophos. "We don't see this in our spam traps, so it is unlikely that a wide-ranging spam campaign was used to get people to visit the dodgy site."

Sophos advised users to turn off the Active Scripting facility in Internet Explorer, as a stop-gap measure.

"Until a fix is available from Microsoft, concerned computer users should consider changing the configuration of Internet Explorer to turn off, or prompt before, allowing Active Scripting to run," said the company.

Details of the next Microsoft security bulletin will be available here from 8 December.