Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks
The Web attacks, first reported by Bob McMillan, takes aim at users running IE 7 on Windows XP SP2 and includes the use of a Trojan downloader that commandeers Windows machines for nefarious purposes. They come on the same day Microsoft will ship critical patches for a wide range of vulnerabilities, including some affecting Internet Explorer.
I have confirmed the exploits have been rigged into hacked Chinese-language Web sites. According this blog post (Google translation), there is public proof-of-concept code that suggests the attacks may become more widespread.
[ GALLERY: How to configure Internet Explorer to run securely ]
McMillan reports:
The code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about "one in three times," Huang said in an instant message interview. For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw.
In attacks, the code drops a malicious program on the victim's PC which then goes to download malicious software from various locations.
[ SEE: Coming on Patch Tuesday: 8 bulletins, 6 critical ]
A spokesman for Microsoft said the company is investigating the issue and offered this statement:
Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.
To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. By reporting vulnerabilities directly to a vendor, it helps ensure that customers receive comprehensive, high-quality updates while reducing the risk of attack.
Later today, Microsoft plans to ship a "critical" IE update to fix code execution holes in the world's most widely used Web browser. However, that patch will not provide cover for this latest vulnerability.