Malicious hackers are exploiting a zero-day flaw in Microsoft's Internet Explorer browser to launch a new wave of drive-by downloads, according to a warning from security researchers.
The Web attacks, first reported by Bob McMillan, takes aim at users running IE 7 on Windows XP SP2 and includes the use of a Trojan downloader that commandeers Windows machines for nefarious purposes. They come on the same day Microsoft will ship critical patches for a wide range of vulnerabilities, including some affecting Internet Explorer.
I have confirmed the exploits have been rigged into hacked Chinese-language Web sites. According this blog post (Google translation), there is public proof-of-concept code that suggests the attacks may become more widespread.
[ GALLERY: How to configure Internet Explorer to run securely ]
In attacks, the code drops a malicious program on the victim's PC which then goes to download malicious software from various locations.
A spokesman for Microsoft said the company is investigating the issue and offered this statement:
Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.
To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. By reporting vulnerabilities directly to a vendor, it helps ensure that customers receive comprehensive, high-quality updates while reducing the risk of attack.
Later today, Microsoft plans to ship a "critical" IE update to fix code execution holes in the world's most widely used Web browser. However, that patch will not provide cover for this latest vulnerability.