Internet Explorer zero-day attack in the wild

By Stephen Withers
Thursday, 11 December 2008 01:38

Home IT

A new exploit works against fully-patched copies of Internet Explorer, security companies have warned. Its release may have been timed to coincide with Microsoft's Patch Tuesday for December.

Microsoft routinely releases security patches on the second Tuesday of the month, so releasing a new exploit into the wild around that time will provide maximum currency.

According to Symantec, the exploit - first seen in China and other parts of Asia - targets Internet Explorer 7 on Windows XP and 2003, but the underlying vulnerability may also be present in Internet Explorer 6.

Geok Meng Ong of McAfee's Avert Labs said "We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system."

The initial exploit uses malformed XML tags to take control of the system, but the problem could be more general, allowing the use of other page elements as attack vectors.

The exploit goes on to download additional malware from certain sites with Chinese domains.

According to Symantec's security response supervisor Elia Florio, "the attack still requires some JavaScript in order to use heap-spray techniques to achieve a reliable code execution; so, blocking JavaScript for un-trusted websites could help to somewhat mitigate the risk."

Microsoft is reportedly investigating the matter.