Internet Explorer 7 users have been exposed to a zero-day exploit that may have been accidentally let loose by Chinese security researchers.
The malware is expected to cause havoc over the Christmas period, according to several security companies.
Rick Howard, director of intelligence at iDefense Security Intelligence Services said the exploit was accidentally released by a Chinese security team on Tuesday — the same day Microsoft released a massive update — and has now been incorporated into exploit toolkits designed to install information-stealing Trojans.
"The IE7 zero-day is really nasty. No patch. Mitigation options are not good; some are draconian. Dig in folks; this could be a rough ride," said Howard.
According to browser tracking service W3schools, IE7 accounted for 26 percent of the world's browsers in November.
The exploit first appeared in China last Tuesday and has quickly morphed into several variants, according to Howard. iDefense has given the exploit a 'high' threat rating since it had worked against fully patched systems, following Microsoft's December Patch Tuesday.
The exploit takes advantage of a heap overflow flaw in the XML parser, according to security training organisation the Sans Institute.
The Chinese 'knownsec' security team released an advisory on Tuesday in which it admitted that the exploit code was leaked by one of its members, according to Howard.
"According to their notes, they had mistakenly assumed this issue to be for an already-patched vulnerability," Howard said.
Microsoft has posted an advisory stating that it was investigating reported attacks.
"Our investigation so far has shown that these attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1 and Windows Server 2008," the company reported yesterday.
Microsoft said it was only aware of "limited attacks that attempt to use this vulnerability". It has advised users to apply the workarounds listed on its site.
While Microsoft has played down the threat, Stephan Chenette, manager of security research at Websense's US headquarters, who had also been tracking the exploit's passage across the globe, said the exploit was both critical and was expected to lead to a "larger attack" in the coming weeks.
"This exploit is quite critical. There's no user interaction required; all the user has to do is visit a malicious website," Chenette told ZDNet UK's sister site ZDNet.com.au.
The servers hosting the exploit are all located in China and are based on the same networks, Chenette said.
"It looks to be one or a few different groups using this, but it's expected to increase because it was released on Milw0rm," he said. Milw0rm is a website where proof-of-concept exploits are published; however, the site is used by both security teams and attackers.
"It also helps the attackers create another variation of the attack," he said. "And that's what we've seen: a lot of copy and paste code from the proof of concept."
"Because of how simple this attack is — it's on IE7 and very easy to exploit — we're predicting that we're going to see a larger attack in the next few weeks. Especially because of the timely attack — it happened only one day before Microsoft's Patch Tuesday."
Due to the seriousness of the exploit, Microsoft is likely to be forced to issue a patch outside its usual Patch Tuesday cycle, said Chenette.
"There's no way that users can wait one more month unpatched without any other protection mechanisms," he said. "Patch Tuesday has always been a point of attack for Microsoft and any company that has a patch cycle."