Researchers warn that IE attacks are increasingly being launched from legitimate Web sites; Microsoft says it is working on a patch

Microsoft warned Saturday of a "huge increase" in attacks exploiting a critical unpatched vulnerability in Internet Explorer (IE), and said some originated from hacked pornography sites.

Other researchers confirmed that attacks were increasingly coming from compromised Web sites.

Microsoft noted the upswing in attacks on the company's Malware Protection Center blog late Saturday. "The trend for now is going upwards," said researchers Ziv Mador and Tareq Saadecom on the blog. "We saw a huge increase in the number of reports today compared to yesterday."

Hackers have been exploiting a data binding bug in IE for more than a week, according to researchers who first noted in-the-wild attack code on Chinese servers. The vulnerability, which exists in all versions of the Microsoft browser, including IE5.01, IE6, IE7, and IE8 Beta 2, has so far been exploited only by attack code that targets IE7, the most widely used edition.

Mador and Saadecom said that attacks are increasingly being launched from legitimate Web sites. "Some legitimate Web sites were maliciously modified to include the exploits," the two said. A popular Taiwanese search engine and a Hong Kong-based pornography site were among the sites hacked, then set up to attack visitors running IE.

Researchers at Trend Micro also reported a big increase in hacked sites serving exploits aimed at the new IE bug. On Saturday, the security firm estimated that about 6,000 sites have been infected so far, noting that the count was "quickly increasing in number."

As in previous, large-scale attacks based on legitimate Web sites, this one involves hackers who execute SQL injection attacks to first compromise the site. In a SQL injection attack, hackers exploit vulnerabilities in Web applications that rely on a back-end database, which then gives them a way to add and run malicious code, usually rogue JavaScript, against any browser.

Microsoft acknowledged that attacks have become a significant problem. "Based on our stats, since the vulnerability has gone public, roughly 0.2 percent of users worldwide may have been exposed to Web sites ontaining exploits of this latest vulnerability," Mador and Saadecom said. "That percentage may seem low, however it still means that a significant number of users have been affected."

The move to legitimate, but hacked, sites is a change in tactics. As recently as Thursday, attacks were coming only from malicious sites, most of them in China. Even then, however, Microsoft had warned that hackers would probably expand the scope of their attacks by compromising valid sites.

In related news, Microsoft said it was working on a patch for IE, although it has still not said when it would issue the update. Some researchers expect the company to release a fix outside Microsoft's normal monthly schedule; the next security updates aren't due until Jan. 9, 2009. Microsoft also revised its security advisory for a third time Saturday, adding more information about the recommended actions users should take until a patch is available. The company has offered up a total of nine different workarounds for IE users, several of which require editing of the Windows registry, a chore most users assiduously avoid.

liveusb-creator

The liveusb-creator is a cross-platform tool for easily installing live operating systems on to USB flash drives.

Features

- Completely non-destructive install. There is no need to deal with formatting or partitioning your USB key.
- Supports downloading various Fedora releases, including Fedora 9 and above!
- Automatically detects all of your removable devices
- Persistent storage creation. This lets you to allocate extra space on your USB stick, allowing you to save files and make modifications to your live operating system that will persist after you reboot. This essentially lets you carry your own personalized Fedora with you at all times. (Note: only works with Fedora 9 and above)
- SHA1 checksum verification of known releases, to ensure that you've downloaded the correct bits
- Works in Windows and Linux.

Happy holidays, challenge fans!  In the spirit of the season, I’ve written a Santa Claus challenge for you, titled “Santa Claus is Hacking to Town.”  This one is adapted from the classic 1970 Rankin & Bass television production, which used stop-motion animation and nifty puppets to tell the story of Kris Kringle.  As a child, this was one of my favorite Christmas TV specials, and I’m thrilled to recast it as an ethical hacking challenge.  You don’t need to be familiar with the original TV show to participate in the challenge, of course.  Analyze the clues, devise your strategy, and carefully answer the questions to win a prize.  Answers are due by December 31, 2008.  We’ll choose three winners (best technical answer, most creative answer that is technically correct, and a random draw winner) to get a copy of my book, Counter Hack Reloaded, the ultimate stocking stuffer.  Even if you can’t answer all the questions, send in your best guess to qualify for that random draw slot.

Even though you don’t have to be familiar with the original TV show to answer the challenge questions, for those of you who haven’t seen the original Santa Claus is Coming to Town TV show or want to relive that childhood wonder of watching Kris Kringle grow up into Santa, you can watch its five parts on YouTube here:

Universal Plug-N-Play (UPnP) is a protocol that allows various network devices to auto-configure themselves. One of the most common uses of this protocol is to allow devices or programs to open up ports on your home router in order to communicate properly with the outside world (Xbox, for example, does this). The UPnP protocol is built on top of pre-existing protocols and specifications, most notably, UDP, SSDP, SOAP and XML.

This article will address some of the security issues related to UPNP, briefly describe the inner workings of the protocol, and show how to identify and analyze UPNP devices on a network using open source tools. While we will be specifically focusing on IGDs (Internet Gateway Devices, aka, routers), it is important to remember that there are many other devices and systems that support UPNP as well, and they may be vulnerable to similar attacks.