Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks

Summary:Malicious hackers are exploiting a zero-day flaw in Microsoft's Internet Explorer browser to launch a new wave of drive-by downloads, according to a warning from security researchers.The Web attacks, first reported by Bob McMillan, takes aim at users running IE 7 on Windows XP SP2 and includes the use of a Trojan downloader that commandeers Windows machines for nefarious purposes.

IE7 drive-by downloads zero day
Malicious hackers are exploiting a zero-day flaw in Microsoft's Internet Explorer browser to launch a new wave of drive-by downloads, according to a warning from security researchers.

The Web attacks, first reported by Bob McMillan, takes aim at users running IE 7 on Windows XP SP2 and includes the use of a Trojan downloader that commandeers Windows machines for nefarious purposes.  They come on the same day Microsoft will ship critical patches for a wide range of vulnerabilities, including some affecting Internet Explorer.

I have confirmed the exploits have been rigged into hacked Chinese-language Web sites.   According this blog post (Google translation), there is public proof-of-concept code that suggests the attacks may become more widespread.

[ GALLERY: How to configure Internet Explorer to run securely

McMillan reports:

The code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about "one in three times," Huang said in an instant message interview. For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw.

In attacks, the code drops a malicious program on the victim's PC which then goes to download malicious software from various locations.

[ SEE: Coming on Patch Tuesday: 8 bulletins, 6 critical ]

A spokesman for Microsoft said the company is investigating the issue and offered this statement:

Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.

To minimize risk to computer users, Microsoft continues to encourage responsible disclosure.  By reporting vulnerabilities directly to a vendor, it helps ensure that customers receive comprehensive, high-quality updates while reducing the risk of attack.

Later today, Microsoft plans to ship a "critical" IE update to fix code execution holes in the world's most widely used Web browser.  However, that patch will not provide cover for this latest vulnerability.

Topics: Browser, Microsoft, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.