Microsoft Corp. today warned Internet Explorer users that attackers are exploiting a previously unknown security hole in the browser to install malicious software. The company is urging users who haven’t already done so to upgrade to IE8, which includes technology that makes the vulnerability more difficult to exploit.
According to the advisory Microsoft published, this is a browse-to-a-malicious-site-and-get-owned vulnerability. The company reports that the exploit code was discovered on a single Web site that is no longer online. But if past attacks against unpatched IE flaws are any indicator, it will probably not be long before the attack is stitched into plenty of other hacked and malicious Web sites.
Redmond says Data Execution Prevention (DEP) technology enabled by default in IE8 helps protect against attacks, and that the same protection is enabled on all supported platforms, including Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7. IE9 beta apparently is not at risk from this threat.
In a post to its Microsoft Security Response Center blog, the company said that it is working to develop a security update to address this attack against the flaw, but that at the moment it “does not meet the criteria for an out-of-band release.” Microsoft is expected to issue another round of security updates next week as part of its regular “Patch Tuesday” cycle, which generally occurs on the second Tuesday of each month.
Symantec Corp. has posted a fascinating blog entry that details just how targeted the attacks have been so far. It offers a peek at how these types of critical flaws in widely-used applications can be used in pinprick attacks to extract very specific information from targeted organizations and individuals. From that post:
“One such case started few days ago when we received information about a possible exploitation using older versions of Internet Explorer as targets. Hackers had sent emails to a select group of individuals within targeted organizations. Within the email the perpetrators added a link to a specific page hosted on an otherwise legitimate website.
….Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations. The files on this server had been accessed by people in lots of organizations in multiple industries across the globe. Very few of them were seen accessing the payload file, which means that most users were using a browser which wasn’t vulnerable or targeted.”
Read more from the Symantec writeup here.