IE7 under attack from 'accidental' zero-day exploit

IE7 under attack from 'accidental' zero-day exploit

Summary: Internet Explorer 7 (IE7) users are threatened by a zero-day exploit that may have been "accidentally" let loose by Chinese security researchers, is expected to cause havoc over the holiday period, according to several security companies.

TOPICS: Browser, Security

Internet Explorer 7 (IE7) users are threatened by a zero-day exploit that may have been "accidentally" let loose by Chinese security researchers, is expected to cause havoc over the holiday period, according to several security companies.



Rick Howard, director of intelligence at iDefense Security Intelligence Services said the exploit was accidentally released by a Chinese security team on Tuesday — the same day Microsoft released a massive update — and has now been incorporated into exploit toolkits designed to install information-stealing trojans.

"The IE7 Zero-Day is really nasty. No patch. Mitigation options are not good; some are draconian. Dig in folks; this could be a rough ride," said Howard.

According to browser tracking service W3schools, IE7 accounted for 26 per cent of the world's browsers in November.

The exploit first appeared in China last Tuesday and has quickly morphed into several variants, according to Howard. iDefense has given the exploit a "high" threat rating since it had worked against fully patched systems, following Microsoft's December Patch Tuesday.

The Chinese "knownsec" security team released an advisory on Tuesday in which it admitted that the exploit code was leaked by one of its members, according to Howard.

"According to their notes, they had mistakenly assumed this issue to be for an already patched vulnerability," Howard said.

Microsoft has posted an advisory stating that it was investigating reported attacks.

"Our investigation so far has shown that these attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008," the company reported yesterday.

Microsoft said it was only aware of "limited attacks that attempt to use this vulnerability". It has advised to apply the workarounds listed on its site.

While Microsoft has played down the threat, Stephan Chenette, manager of security research at Websense's US headquarters, who had also been tracking the exploit's passage across the globe, said the exploit was both critical and was expected to lead to a "larger attack" in the coming weeks.

"This exploit is quite critical. There's no user interaction required; all the user has to do is visit a malicious website," Chenette told

The servers hosting the exploit are all located in China and are based on the same networks, Chenette said.

"It looks to be one or a few different groups using this, but it's expected to increase because it was released on Milw0rm," he said. Milw0rm is a website where proof of concept exploits are published; however, the site is used by both security teams and attackers.

"It also helps the attackers create another variation of the attack," he said. "And that's what we've seen: a lot of copy and paste code from the proof of concept."

"Because of how simple this attack is — it's on IE7 and very easy to exploit — we're predicting that we're going to see a larger attack in the next few weeks. Especially because of the timely attack — it happened only one day before Microsoft's patch Tuesday."

Due to the seriousness of the exploit, Microsoft will likely be forced to issue a patch outside its usual Patch Tuesday cycle, said Chenette.

"There's no way that users can wait one more month unpatched without any other protection mechanisms," he said. "Patch Tuesday has always been a point of attack for Microsoft and any company that has a patch cycle."

Topics: Browser, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Be Proactive and avoid the impacts caused by zero-day exploits

    This story again directs us to think about managing the current threats - the days of mass-mailing malware are gone and now the attacks are more targeted towards the endpoints. The solution is to prevent this rogue code from executing - which can be achieved by adopting an Application Control solution.

    Application Control provides policy-based enforcement of application use to secure endpoints from malware, spyware, zero-day threats and unwanted or unlicensed software. By employing a whitelist approach, Application Control enables only authorised applications to execute on a network server, terminal services server, thin client, laptop or desktop. Unauthorised applications are prohibited from executing. Malware is virtually eliminated and control is given to administrators over unwanted and unauthorised applications, including bandwidth stealing P2P applications.

    Application policies can be linked to user and user-group information stored in Active Directory� or eDirectory�, dramatically simplifying the management of endpoint application resources.

    Consider combining with Device Control which provides policy-based
    enforcement of removable device use to control the flow of inbound and outbound data from your endpoints, reducing the risk of data leakage.
  • IE7 Exploit

    An application (IE7) can be "forced"into a state for execution of another program !!.....the end result of use of obsolete "discretionary access control (DAC)" operating systems in a globally connected world where program "pedigree" cannot really be assessed. DAC belongs to the closed mainframe days of the protected "data centre".... long gone.

    By now we should be well served with at least "flexible mandatory access control (FMAC)" systems, such as in RedHat Enterprise Linux 5 (Fedora Core 9) and Solaris 10 with Security Extensions. Yes - there is a Common Criteria (CC) profile that is relevant (LSPP - Labelled Security Protection Profile).

    The REAL problem is that both public and private enterprise management have NOT hardened their systems through lack of the necessary enforced regulatory environment... just like the car seat-belt problem, pool fences, and numerous other cases. It is time - as has been pointed out just this week in the USA through the CSIS report on an information security programme for the 44th presidency (See URL - that governments' clearly recognised and admitted that "self regulation" and discredited "free market" philosophies DO NOT WORK when it comes to safety and security, as much in ICT as in the now discredited finance industry globally.

    This IE7 problem is just another example.... will it require an ICT "meltdown" before governments act? The great senator Sam Nunn of the USA thought so - but can we wait for that or even tolerate it! The CSIS report recommends that US government purchasing start by leading with compulsory procurement requirements for such FMAC style systems and the upgrade of education and training to match - a great idea. What about Australia?

    Over to our Federal, State and Local government politicians...
  • Can you trust the government?

    Government mandated security solutions don't sound all that bright to me.

    Can you imagine with the mess that would result if someone like Conroy got anywhere near a project like this?
  • Surely Linux+Firefox gives good protection?

    Bill, good to hear from you on this issue. I thought Linux generally was safe against this type of attack, due to root password challenge prior to any update to program area? But as you cited only RedHat5, Fedora9 and Solaris10, perhaps you could be a bit more explicit as to whether the other variants of Linux are safe or not? I have presumed that late version (eg 8.04+) Ubuntu workstations running Firefox browser are safe for three reasons: (a) the malware is primarily designed for Windows execution; (b) Linux requires root password to update program area; and (c) Firefox does not suffer this latest IE7 vulnerability.