Symantec's Vikram Thakur said the attack took the form of an email purportedly about hotel bookings that was sent to "a select group of individuals within targeted organisations" containing a link to the page containing the exploit.
The exploit silently installed malware that created a backdoor on the victim computer and accessed a server in Poland to download small, encrypted files containing commands.
"Looking at the flow of commands, it is obvious to us that someone is entering these commands manually from a remote computer," said Thakur.
While the attackers specifically targeted Internet Explorer 6 and 7, but Microsoft has determined that the underlying problem is also present in IE 8 though mitigated by DEP (data execution prevention). DEP is enabled by default for IE 8, and can be enabled on earlier versions by using Microsoft's free Enhanced Mitigation Experience Toolkit (EMET).
How did the exploit work? See page 2.
It appears that the targeted organisations (and Thakur said there "more than a few") generally weren't using IE 6 or 7, or they had already implemented mitigations such as DEP. Analysis of the log files from the compromised server showed that "very few" visitors had accessed the payload file. "We are not aware of any affected customers," said Jerry Bryant, group manager, response communications at Microsoft's trustworthy computing group.
The vulnerability itself involves CSS handling. It turns out that when faced with a certain combination of CSS tags, IE allocates insufficient memory to store them, potentially allowing the partial overwriting of a pointer. This situation is potentially exploitable using a heap spray attack.
According to the Microsoft Security Response Center engineering team, DEP blocks this type of attack, and attempts to circumvent it will be "highly unreliable (i.e. causing IE to crash)," particularly on systems supporting ASLR (address space layout randomisation).
Further protection against the vulnerability can be gained by applying a custom CSS. Instructions can be found in the advisory (see 'Workarounds').
Microsoft is developing a security update to dix the vulnerability, and it will apparently be released on a subsequent Patch Tuesday: "The issue does not meet the criteria for an out-of-band release," said Bryant.