Escalating attacks prompted emergency IE update, says Microsoft

China, home of the security firm that reported the bug, is No. 1 attack target

Microsoft said that it patched the critical vulnerability in Internet Explorer (IE) earlier this week because the number of attacks jumped after news broke that the exploit had gone public.

Microsoft's explanation fit the expectations of several security researchers, who earlier this month predicted that the company would release an "out-of-band" update if attacks climbed, saying that that was the determining factor in Microsoft's decision-making process.

Holly Stewart, a senior program manager with the Microsoft Malware Protection Center (MMPC), acknowledged that attacks exploiting the "iepeers.dll" escalated March 12, two days after Israeli researcher Moshe Ben Abu used a clue in a McAfee blog to build a working attack for the popular Metasploit open-source penetration testing kit.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Microsoft said that it patched the critical vulnerability in Internet Explorer (IE) earlier this week because the number of attacks jumped after news broke that the exploit had gone public.

Microsoft's explanation fit the expectations of several security researchers, who earlier this month predicted that the company would release an "out-of-band" update if attacks climbed, saying that that was the determining factor in Microsoft's decision-making process.

Holly Stewart, a senior program manager with the Microsoft Malware Protection Center (MMPC), acknowledged that attacks exploiting the "iepeers.dll" escalated March 12, two days after Israeli researcher Moshe Ben Abu used a clue in a McAfee blog to build a working attack for the popular Metasploit open-source penetration testing kit.

Three days before that, Microsoft had issued a security advisory warning users the vulnerability was already being used by hackers in drive-by attacks from malicious sites. At the time, Microsoft said that while both IE6 and IE7 could be exploited, the latter's pseudo sandbox would protect users.

Prominent researcher HD Moore, the creator of Metasploit and chief security officer at security company Rapid7, said on Tuesday that another likely factor in Microsoft's decision to accelerate the patch was that others had figured out how to modify Abu's exploit so that it was successful against IE7 as well as IE6.

Microsoft patched the iepeers.dll memory corruption vulnerability, and nine others, in the MS10-018 update it issued Tuesday , two weeks ahead of its standard schedule.

Stewart also said that Microsoft's analysis indicated that 80% of the attacks using the iepeers.dll exploit were aimed at Chinese computers. Whether coincidence or not, the vulnerability was originally reported to Microsoft by Beijing-based ADLab, an arm of security firm VenusTech. ADLab alerted Microsoft of the bug in mid-November 2009.

Machines in neighboring South Korea accounted for 11% of the attacks, but only 5% targeted U.S. PCs, said Stewart in an entry to the MMPC blog on Tuesday.

Symantec essentially confirmed Microsoft's data, although it described the target percentages a bit differently. After analyzing the attacks it has seen exploiting the iepeers.dll vulnerability, the security company's security response team ranked China as the No.1 target country, with Korea and the U.S. in the No. 2 and No. 3 spots, respectively.

"The count in China appears to be approximately 10 times that of Korea and the count in Korea is roughly the same as that in the Unites States," a Symantec spokesman said today. "The counts in ... other countries ... appear to be one tenth of those in the United States."

Stewart was optimistic that the MS10-018 update would dampen attacks. "Like the lifecycle of most vulnerabilities, we expect the threat landscape to mellow with the release and adoption of updates and protection," she said.

According to recent research by Wolfgang Kandek, the chief technology officer of Qualys, a California security risk and compliance management provider, emergency updates like this week's for IE take between nine and ten days to be applied to half of all PCs. Even weeks or months later, a significant percentage of machines remain vulnerable, Kandek said in a recent interview. About 20% of PCs still have not received the critical "out-of-band" update that Microsoft issued in January 2010, for example.