The big news in the malware world this week was the spread of a new zero day exploit for Internet Explorer. Microsoft responded fairly quickly, releasing an emergency patch yesterday, but meanwhile, the bad guys were working quickly to hack websites so they could deliver password-stealing malware onto users’ vulnerable machines via drive-by download.

To me, this highlights a trend that the security community has been seeing more lately: very rapid distribution of exploits for applications that haven’t been patched or that have just recently been patched. This is all enabled through the ability of malicious actors to quickly deploy the exploit code through the use of botnets, spam, and vulnerable websites.

In turn, this trend points out the insufficiency of "being careful" as a defense against malware. Keeping your PC up to date and avoiding suspicious websites are important safety steps, but neither will protect a user from a legitimate website hosting a zero day drive-by exploit.

Security experts always talk about layers of security, and this is a great example of the importance of that. When you combine the defenses above with "just in time" warning messages about known badware websites, proactive AV scanning, and improved security architecture in the desktop OS and applications, a user has a reasonable chance of being protected from even new, fast-moving threats. Perhaps there’s still more that can be done. Public user warning systems, distributed intelligence gathering, and other new approaches to helping users avoid malware are on the horizon, and StopBadware looks forward to working with its partners and the rest of the community in our collective effort to fight back.

Microsoft Live Search recently joined Yahoo! and StopBadware partner Google in warning users about malware-infected websites in search results:

As Live Search crawls the web, we assess whether a page contains any malicious elements or exhibits any malicious behavior, and then flag questionable pages with a warning message.

Kudos to Microsoft for getting on board with what we believe has been an effective way of reducing ordinary PC users’ exposure to drive-by downloads and other web-based threats. We have not yet explored the new feature too extensively, so we don’t know yet how accurate their listings are or how they’re managing the process of reviewing websites that site owners believe are mislabeled or have been cleaned up. However, we are in touch with folks in Redmond, and we hope to learn more in the coming weeks.

StopBadware.org staff security researcher Oliver Day has a guest blog post at SecurityFocus that explores the relationship between Microsoft’s anti-piracy measures and the number of vulnerable Windows machines around the world. His conclusion:

The simple answer is that the current WGA policies from Microsoft significantly extend the lifetimes of vulnerabilities, sometimes indefinitely.

Follow the link above to read his full, thoughtful post.

Symantec describes a vulnerability in Internet Explorer that allows a website with malicious content to install a Microsoft-signed ActiveX control and then exploit a known vulnerability in that control:

Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim’s computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.

It does not appear that there is a known fix for this right now, so it’s just one more reason to keep your security software up to date if you’re using Internet Explorer.

A researcher from security firm Kaspersky reportedly claims that he told Microsoft of a vulnerability in Internet Explorer “a long time ago,” but Microsoft didn’t consider it a security issue. Now, he claims he has found an example of an exploit in the wild that takes advantage of the vulnerability.

The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

...

Fast forward to the latest site compromise — on a high traffic Web site — where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site. (The malicious site is currently offline but there’s evidence that it’s tied to ID-theft attacks)....

If the researcher’s findings are true (we haven’t confirmed them), then Microsoft should be embarrassed for missing an opportunity to protect its users and should immediately reconsider its position and treat this as the security issue that it is.