Today Microsoft released Security Advisory 2458511 to warn Internet Explorer users of a new zero-day attack that Microsoft has seen in the wild. It affects versions 6, 7, and 8, although Microsoft says that the default installations of IE8 make that version of the browser harder to exploit.
UPDATED: Security researchers at Symantec reported the attack to Microsoft and earlier today posted details. I'll summarize. Attackers figured out specific exploits for older versions of IE, 6 and 7 specifically. They hacked otherwise innocent Web servers and added a page with malware. They sent e-mails to specific individuals within various organizations. When those individuals visited the page, the malware told them which version of IE they were using. If it was not IE 6 or 7, the victim saw a blank Web page. If it was, the nasty page downloaded a Trojan that allowed the hacker to install commands disguised as .gif files. The victim need do nothing but visit the Web page. The owners of identified Web sites hosting the malware pages have been contacted and the files removed, but there's no telling how many more are still out there.
It is unlikely that a patch will be available by next week's Patch Tuesday, says Jason Miller, data and security team leader, Shavlik Technologies, Minneapolis, MN. However Miller says if Microsoft sees an uptick in this attack, he would expect Microsoft to release an out-of-band patch.
"The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. At this time, we are aware of targeted attacks attempting to use this vulnerability."
IE 8 is less vulnerable due to "defense in depth protections" from its Data Execution Prevention (DEP) feature, which Microsoft says is enabled by default in Internet Explorer 8 on all supported Windows platforms. While Microsoft PR says that " the impact of this vulnerability is extremely limited and we are not aware of any affected customers," the security advisory also notes that black hats are trying to take advantage of the hole in the wild. Its says, "At this time, we are aware of targeted attacks attempting to use this vulnerability."
Microsoft says that IE 9 isn't affected, but remember IE 9 isn't available for XP users, not even those who are using XP SP3, which Microsoft is still supporting.
While no patch is available yet, Microsoft has offered several workarounds including:
Julie Bort is the editor of Microsoft Subnet and Network World's Online Community Editor. She also writes the Open Source Subnet blog and is the editor responsible for the Cisco Subnet and Open Source Subnet web sites. If you have an idea for a blog, or a news tip on Microsoft, Cisco or Open Source technologies, contact her at firstname.lastname@example.org, 970-482-6454 or follow Julie on Twitter @Julie188.
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited