Browse and Get Owned: IE6, IE7 Users Victimized

Microsoft has confirmed that thousands of legitimate web sites have been compromised by hackers and are now targeting innocent users through a critical unpatched vulnerability in Windows' DirectShow, part of DirectX.

This is the second time in just six weeks that hackers have been exploiting the unpatched bug. This time, however, it appears as though Internet Explorer (IE) has been chosen as the weapon of choice when trapping innocent users.

Browse and Get Owned Attacks: Drive-By Hackings

The new wave of attacks is being referred to as "browse and get owned attacks" or "drive-by hackings". Basically, a user stumbles upon a malicious web site or a compromised legitimate web site and falls prey to a hacker. Worst of all, once the user is trapped (unbeknownst to them) no further user intervention is required. (Source: pcworld.com)

As mentioned in a previous article, those who run IE6 or IE7 on Windows XP and Windows Server 2003 are vulnerable to drive-by hackings, while those who run IE6 and IE7 on Windows Vista and Windows Server 2008 are not at risk. Interestingly enough, Microsoft has also made it a point to mention that IE8 (the latest Microsoft browser) is also not at risk to these attacks.

Kill Bit When Caught in a Drive-By

Microsoft has urged those who are running an at-risk browser to set 45 "kill bits" in the flawed ActiveX control that contains the vulnerability. Basically, a kill bit will instruct the browser to never use a specific component of ActiveX control software, identifying it by its own unique number. (Source: idg.no)

However, setting ActiveX kill bits can be dangerous, because it involves editing the Windows registry. If done incorrectly, users could be asked to reinstall their entire operating system, potentially losing thousands of important files in the process.

Microsoft has also created a downloadable automated tool to help at-risk browsers. The new tool can be downloaded from Microsoft's support site at any time.

While it was promised that a more comprehensive patch was forthcoming, Microsoft declined to comment on whether or not the patch would be made available before July 14, the next scheduled security release date.