IE7 XML parsing zero day exploited in the wild
And if that's not enough, Microsoft is also investigating a second zero day affecting the WordPad text converter according to an advisory issued yesterday.
Not surprisingly, the IE7 exploit is already in circulation, with the Shadowserver Foundation keeping track of malicious domains using it, the majority of which still remain active. Despite the fact the in its current form the exploit code is easy to spot through generic detection for potentially malicious shellcode, sampling several of the domains using it reveals that the Chinese hackers using it are also taking advantage of several different client-side vulnerabilities in order to increase the chances of successful infection. Typical exploits structure looks like the following :
baidu .bbtu01. cn/c0x.htm baidu. bbtu01. cn/ie07.htm baidu. bbtu01. cn/104.htm baidu. bbtu01. cn/a0s.htm baidu. bbtu01. cn/c0e.htm baidu. bbtu01. cn/lzz.htm baidu. bbtu01. cn/Bf0yy.htm baidu. bbtu01. cn/rea0l10.htm baidu. bbtu01. cn/real11.htm
Despite that the malicious domains remain injected at legitimate Chinese sites and forums as iFrames only, this could easily change so that more legitimate international sites start getting targeted. What are they after this time? Passwords for popular online games in China.