IFRAME Exploit Spreading Through Banner Ads
21st November, 2004
"Some high profile sites with banner ads are linking to servers that have the exploit and malicious code," according to an advisory on the ISC web site. The attack is an expanded version of banner-based exploits that first surfaced earlier this year. Banner networks, with their ability to place code on hundreds of outside sites, offer a vehicle for the rapid distribution of trojans and other malware, as well as a way to deface web pages. It is not clear whether the malicious code was being spread through a compromised ad server, or through specific banners submitted to ad networks.
Site operators are being cautioned to verify that the banners do not contain the IFRAME exploit code, or failing that, temporarily disable banner ads to minimize the risk of accidentally infecting users and propagating the exploit. The ISC did not identify any of the affected sites.
Users clicking on the banners are being infected with variants of the Bofra worm that has been propragating through e-mail and malicious web sites. Bofra appeared just days after the revelation of the IFRAME vulnerability, which affects Internet Explorer 6 on all Windows platforms except Windows XP Service Pack 2 (SP2). This vulnerability allows attackers to gain complete control of a user's computer.
Microsoft has not issued a patch for the Internet Explorer IFRAME hole for users that have yet to install SP2. However, a German security researcher has issued an independent patch, prompting discussion among security vendors about the risks of "unofficial" patches.
Windows XP SP2 has been downloaded more than 105 million times, according to Microsoft, but some corporate IT departments have reported problems with installations. The ISC recommended that IE6 users who haven't installed the SP2 update "utilize a different web browser until a patch is released by Microsoft."