Hackers Jump On Newest IE7 Bug 162
CWmike writes "Attackers are already exploiting a bug in Internet Explorer 7 that Microsoft patched just last week, security researchers warned today. Although the attacks are currently in 'very, very small numbers,' they may be just the forerunner of a larger campaign, said Trend Micro's Jamz Yaneza. 'I see this as a proof-of-concept,' said Yaneza, who noted that the exploit's payload is extremely straightforward and explained that there has been no attempt to mask it by, say, planting a root kit on the victimized PC at the same time. 'I wouldn't be surprised to see this [exploit] show up in one of those Chinese exploit kits,' he added. The new attack code, which Trend Micro dubbed 'XML_Dloadr.a,' arrives in a spam message as a malicious file masquerading as a Microsoft Word document."
Hopefully attacks like this won't be as prevolent (Score:3, Interesting)
Use firefox? (Score:1, Interesting)
How would switching to FireFox help? So you can get a different brand of virus?
Patch and keep patching. That is the only safe bet.
Yes I am using Firefox right now.
Re:Hopefully attacks like this won't be as prevole (Score:3, Interesting)
Running Linux will.
Apparently not if you're using KDE or GNOME [slashdot.org].
Re:Hopefully attacks like this won't be as prevole (Score:3, Interesting)
And then the exploits will occur with the browser that most people are using. Face it: there are bugs in every piece of software out there, and it's just a matter of time before someone finds and exploits them.
So a more diverse set of browsers in use leads to fewer people being exploited. Sounds like something worth encouraging. And while we're at it, how can we encourage vendors to make their browsers more secure and generally better. If only there were some way to motivate developers using common human motivations. I know, we could have them compete with each other on a level playing field in a fee market and the best browser will gain the most market share, so they will all work extra hard to make theirs the best. It's brilliant!
What the law already mandates this? Well, better yet. What one company is breaking the law and preventing competition and thus removing the motivation for much improvement and lowering the bar for everyone? Surely the courts will act quickly and decisively to stop this criminal behavior.
Re:Hopefully attacks like this won't be as prevole (Score:5, Interesting)
It's not that difficult. I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it. I don't even need root access. More sophisticated? Fine, how about I do the same thing but use, say, Python and a simple wxWidgets UI to ask for your root password? You know, because I need it to "update your system". Chances are good you have all that installed on your system if you use the average distro.
Don't underestimate the power of simple social engineering or the tendency of users to do dumb things. And don't overestimate the alleged technological superiority of your OS. I don't need to code an ELF binary in x86 assembler to do damage, and no one writes destructive viruses anymore. Neither you nor your data are the target. The commodity being sought here is your machine and its network connection.