Security experts are urging Internet Explorer users to switch to another browser or disable Active Scripting to guard against a new exploit for the IFRAME vulnerability that hides in Web site ad banners.
"Either these ad servers have been hacked or someone is buying up ad space so they can exploit the IFRAME flaw," said Joe Stewart, senior security researcher for LURHQ, a Chicago-based MSSP. "Any Web site that has ad banners could be affected, and since there are so many ways to hide these exploits, it's very difficult for a company to figure out if they're infected."
The Bethesda, Md.-based SANS Internet Storm Center has been posting warnings on its Web site since the weekend, saying it has received reports of compromised sites in Britain, Sweden and the Netherlands. "This may indicate a more widespread attack across Europe," the storm center said in one message. "One suggestion is that the advertising servers rather than the sites themselves contain the exploit, which of course means that perhaps hundreds of sites are affected."
The storm center said, "If you operate a Web site that serves banner advertisements, you are highly recommended to verify that the banners do not contain the IFRAME exploit code. Or you might want to consider disabling banner ads for a little while to minimize the risk of accidentally infecting your users and propagating. Since this vulnerability is easy to exploit, it is likely that malware for this issue will come in many flavors and colors."
Detecting exploit code in ad banners is no easy task, Stewart said. "Anyone can come along and submit an HTML page with exploit code," he said. "You're relying on the ad banner provider to watch out for this, but the problem is that there are so many ways to hide this sort of thing." The LURHQ Web site has a full analysis of the banner ad exploits.
The IFRAME vulnerability in Internet Explorer 6 was discovered Oct. 24, affecting all Windows platforms except those that have installed XP SP2. It is caused by a boundary error in the handling of certain attributes in the IFRAME HTML tag and can be exploited to cause a buffer overflow via a malicious html document containing overly long strings in the "src" and "name" attributes of the IFRAME tag. Successful attackers can use the flaw to launch malicious code. The security hole has also been targeted by variants of the Mydoom and Bofra worms in the last two weeks.
A Microsoft spokeswoman has acknowledged the vulnerability in interviews with SearchSecurity.com and other media sites. But the software giant has yet to issue a statement on its Web site with potential workarounds or word on when a patch will be made available. The company's next patch release is scheduled for Dec. 14.
"At this point, one can only hope that Microsoft will get on the ball and patch this problem," Stewart said.
This article originally appeared on SearchSecurity.com.