Internet Explorer ‘feature’ causing drive-by malware attacks

Internet Explorer ‘feature’ causing drive-by malware attackMy colleague at Kaspersky Lab Roel Schouwenberg (see disclosure) has discovered a drive-by malware download taking advantage of what Microsoft describes as an Internet Explorer “feature” to launch cross-site scripting attacks.

The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

Schouwenberg (left) said he reported the vulnerability to Microsoft a long time ago, warning the company that JavaScript embedded into GIF files can be executed under certain circumstances.  Microsoft disagreed and the issue was never patched.

Fast forward to the latest site compromise — on a high traffic Web site — where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site.  (The malicious site is currently offline but there’s evidence that it’s tied to ID-theft attacks).

“This is a step more advanced than today’s very common Web site compromises where some JavaScript gets added to the main page,” Schouwenberg said.  In this case, a “view source” at the compromised site will not reveal any malicious code, making swift analysis harder.

Schouwenberg has contacted Microsoft again to reconsider its position on this issue.

[Source: zdnet]