Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks

Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks

Summary: Malicious hackers are exploiting a zero-day flaw in Microsoft's Internet Explorer browser to launch a new wave of drive-by downloads, according to a warning from security researchers.The Web attacks, first reported by Bob McMillan, takes aim at users running IE 7 on Windows XP SP2 and includes the use of a Trojan downloader that commandeers Windows machines for nefarious purposes.

SHARE:
37

IE7 drive-by downloads zero dayMalicious hackers are exploiting a zero-day flaw in Microsoft's Internet Explorer browser to launch a new wave of drive-by downloads, according to a warning from security researchers.

The Web attacks, first reported by Bob McMillan, takes aim at users running IE 7 on Windows XP SP2 and includes the use of a Trojan downloader that commandeers Windows machines for nefarious purposes.  They come on the same day Microsoft will ship critical patches for a wide range of vulnerabilities, including some affecting Internet Explorer.

I have confirmed the exploits have been rigged into hacked Chinese-language Web sites.   According this blog post (Google translation), there is public proof-of-concept code that suggests the attacks may become more widespread.

[ GALLERY: How to configure Internet Explorer to run securely

McMillan reports:

The code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about "one in three times," Huang said in an instant message interview. For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw.

In attacks, the code drops a malicious program on the victim's PC which then goes to download malicious software from various locations.

[ SEE: Coming on Patch Tuesday: 8 bulletins, 6 critical ]

A spokesman for Microsoft said the company is investigating the issue and offered this statement:

Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.

To minimize risk to computer users, Microsoft continues to encourage responsible disclosure.  By reporting vulnerabilities directly to a vendor, it helps ensure that customers receive comprehensive, high-quality updates while reducing the risk of attack.

Later today, Microsoft plans to ship a "critical" IE update to fix code execution holes in the world's most widely used Web browser.  However, that patch will not provide cover for this latest vulnerability.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

37 comments
Log in or register to join the discussion
  • Cmon Loverock, Comment On This One!

    That's right, you selectively avoid stories like this. If it's anti-Linux, you pounce right on it.

    IE7 is a joke.
    itanalyst2@...
    • I dunno...

      I've seen him be objective on days where there's no better trolling to do.

      I think as always, a browser is only as secure as the person using the keyboard.
      Spiritusindomit@...
  • So this doesn't affect XP SP3 or Vista?

    [i]The Web attacks, first reported by Bob McMillan, takes aim at users running IE 7 on Windows XP SP2[/i]

    Yawn. Wake me when things like this can bypass IE7 Protected Mode on Vista. Until then, you've failed to impress me with a vulnerability that affects a 7 year old OS that was patched months ago (SP3) and replaced with an entirely new version (Vista) 2 years ago.
    NonZealot
    • But when 70% of Windows users don't update...

      But when 70% of Windows users don't update, it's a problem.
      The world doesn't revolve around you.
      olePigeon
      • Actually...

        Considering MS makes security patches *AUTOMATICLY* unless the user deliberately disables it the OP has a point.

        IE7 isn't perfect, but then show me a browser that hasn't had a security patch in the last year.
        wolf_z
      • Do you see where it says "Add your opinion"?

        While the world doesn't revolve around me, my opinions necessarily do. It is my opinion that this is a very lame exploit. I didn't say that no one would be affected by it. People sent money to Nigerian princes. People were affected by it. It doesn't mean that it was a particularly impressive scam.

        Like I said, wake me when you have something more impressive than an exploit that affects users who haven't patched their 7 year old OS and doesn't affect the latest OS that was released 2 years ago whether or not users have patched it.
        NonZealot
        • agreed

          I agree that its a problem. THEIR problem. (They being those who haven't patched their 7 year old OS) As always, the user is at fault.

          I'm gonna have a nice laugh when MS pulls XP support all together and there will be people on these boards voicing their 'opinions'. The day can't come soon enough.

          "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
          gnesterenko
        • *slow clap*

          That toes the line between troll and respect pundit beautifully. I <3 you, can I have your kittens, please?
          Spiritusindomit@...
      • Now if only MS could patch users

        90% of malware takes advantage of the fundamental flaw in people, that being to easy to trick. Fix the user and most of the malware out there would be useless.
        voska1
    • Sure looks like it does...

      "Internet users located in China report infections that result when using IE 7 to browse booby-trapped websites. Researchers from McAfee investigated the matter and found the exploits successfully target the Microsoft browser on both Windows XP Service Pack 3 and Vista SP 1." Link:

      http://www.theregister.co.uk/2008/12/09/zero_day_ie_flaw_exploited/
      gfeier
    • Wake Up Call - check this one

      http://www.avertlabs.com/research/blog/index.php/2008/12/09/yet-another-unpatched-drive-by-exploit-found-on-the-web/

      So much for UAC.....
      deaf_e_kate
      • I'd bet a couple bucks

        that the "full patched Vista SP1" machine had UAC disabled.
        rtk
        • Confirmation that UAC was off.

          http://www.microsoft.com/technet/security/advisory/961051.mspx

          "Mitigating Factors:

          ? Protected Mode in Internet Explorer 7 in Windows Vista limits the impact of the vulnerability."

          In other words, the security researcher disabled security to get the exploit to work on his/her "fully patched Vista SP1"
          rtk
          • "Limits the impact"

            Do you know what that means? Does it mean that there's
            [b]no[/b] impact? If it did, it would probably say so.

            In other words, there's still a danger, according to Microsoft.
            msalzberg
      • so much for..

        any chance that you know what you're talking about. UAC is to keep the user from corrupting the system and other users. The user can still get a trojan, but if uac is on the system and other user accounts will be unaffected, assuming the user didn't elevate the trojan. But a user elevating a trojan would have the same effect in linux and mac os x, i.e. the entire system would be corruptable. Without one shread of proof that UAC has not acted as intended you've decided that uac is defeated, the only thing that accomplishes is to destroy any credibility you had here.
        jamesrayg
  • RE: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks

    [i]takes aim at users running IE 7 on Windows XP SP2[/i]

    So its for one specific configuration of Windows which is hardly in use anymore? This isn't even a story worth writing about.

    Three things make this exploit completely dead.
    1. They have to be running XP SP2 + IE7 which hardly anyone is anymore due to the SP3 upgrade and Vista.
    2. Users only go to the same 5 websites which are trusted anyway so no chance of them going to some chinese rigged site.
    3. Microsoft will patch this in the next patch cycle so its not a problem.
    Loverock Davidson
    • Just about every.....

      computer that I see in my shop has IE 7 on Windows XP2. Get in the real World lover, very few have done the SP3 upgrade. This will just add another reason to stay away from the most insecure OS on the planet.
      todbran@...
      • Then you are out of date

        and its no surprise you can't properly maintain a Microsoft Windows system.
        Loverock Davidson
        • Avoiding Me Again Chickenboy

          Go home to mommy little child.
          itanalyst2@...
        • Unfortunately....

          since I have been fixing Windows computers for the last 12 years (Windows 95 since you aren't old enough to remember Windows 95), first as an employee and second as the owner of a computer repair center, your statement is incorrect. But hey, I'm getting filthy rich off of Windows computers. So I hope that they keep supplying me with their inferior products to fix.
          todbran@...