A researcher from security firm Kaspersky reportedly claims that he told Microsoft of a vulnerability in Internet Explorer “a long time ago,” but Microsoft didn’t consider it a security issue. Now, he claims he has found an example of an exploit in the wild that takes advantage of the vulnerability.

The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

...

Fast forward to the latest site compromise — on a high traffic Web site — where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site. (The malicious site is currently offline but there’s evidence that it’s tied to ID-theft attacks)....

If the researcher’s findings are true (we haven’t confirmed them), then Microsoft should be embarrassed for missing an opportunity to protect its users and should immediately reconsider its position and treat this as the security issue that it is.

When I talk to friends about web-based badware, one of the most frequent things I hear is a version of “Oh, I don’t have to worry about that – I don’t go to any sketchy sites.” The security world has known for a while now that even legitimate, trusted websites can be hacked, but that knowledge still hasn’t made its way out to much of the public. It often takes the hacking of a prominent site to shatter the illusion.

This week, the website of ICANN, the Internet Corporation for Assigned Names and Numbers, was hacked and defaced, along with the site for IANA, the Internet Assigned Numbers Authority. ICANN is the group in charge of internet governance at its most basic level, choosing which new top-level domains (like .com or .org) to create, and setting the protocols for how internet addresses work. Ironically, it was the domain name settings for the ICANN and IANA sites themselves that were hacked and redirected to a page with a derisive message.

The hackers fortunately are a group from Turkey apparently more interested in mischief and notoriety than in harming user’s computers, but it would have been easy to redirect ICANN and IANA visitors to a malicious site if that had been the hackers’ goal.

The lesson? As ZDNet’s Dancho Danchev put it:

One thing’s for sure though, if the ICANN and IANA can lose control of their domains, anyone can.

Today, StopBadware.org staff Oliver Day and Brandon Palmen, along with affiliated Harvard researcher Rachel Greenstadt, presented research at the Workshop on the Economics of Information Security, held at the Tuck School of Business at Dartmouth College. A final version of their paper will be available in the proceedings from the conference. For now, here’s an abstract:

Internet end-users increasingly face threats of compromise by visiting seemingly innocuous websites that are themselves compromised by malicious actors. These compromised machines are then incorporated into bot networks that perpetuate further attacks on the Internet. Google attempts to protect users of its search products from these hidden threats by publicly disclosing these infections in interstitial warning pages behind the results. This paper seeks to explore the effects of this policy on the economic ecosystem of webmasters, web hosts, and attackers by analyzing the experiences and data of the StopBadware project. The Stop- Badware project manages the appeals process whereby websites whose infections have been disclosed by Google get fixed and unquarantined. Our results show that, in the absense of disclosure and quarantine, certain classes of webmasters and hosting providers are not incentivized to secure their platforms and websites and that the malware industry is sophisticated and adapts to this reality. A delayed disclosure policy may be appropriate for traditional software products. However, in the web infection space, silence during this period leads to further infection since the attack is already in progress. We relate specific examples where disclosure has had beneficial effects and further support this conclusion by comparing infection rates in the U.S. where Google has high penetration to China where its market penetration rate is much lower.

Over on my own Harvard blog, I’ve started a series of posts about my foray into the field of public health and how it relates to the malware world. If you’re interested, please read along and post your thoughts in the comments.

Ryan Naraine over at the Zero Day Blog reports that a new vulnerability has been found in Internet Explorer 6 running on Windows XP with service pack 2 or 3:

An unpatched cross-domain vulnerability in Microsoft’s flagship Internet Explorer browser could expose Windows users to cookie hijacks and credentials theft attacks, according to a warning from security researchers.

At the moment, there is no patch:

In the absence of a patch, IE users are strongly encouraged to upgrade to IE 7. Or, as always, consider using an alternative browser.