While looking around a compromised server that was being used to exploit Java vulnerabilities, a security researcher stumbled upon another exploit that he claims affects fully patched versions of Microsoft Internet Explorer 7, 8 and 9.
Eric Romang found four files on the server: an executable, a Flash Player movie and two HTML files called exploit.html and protect.html
When users visit the exploit.html page, it loads the Flash movie, which in turn loads the other HTML page, protect.html. Together, they help drop the executable on to the victim's computer. At this point, attackers have everything they need to drop whatever applications they like on the victim's machine, whether it is to join a botnet or conduct attacks. In this case, the dropper executable installs another program when the victim next logs in.
Romang discussed the zero-day with other security researchers, who also came to the same conclusion that this was a vulnerability in Internet Explorer.
However, Romang's presence has not gone unnoticed by those behind the exploit. Shortly after Romang discovered the zero-day, the exploit authors removed the files from the server, replacing them with a text file containing Romang's Twitter handle, "eromang". They also removed the previous Java exploit that was on the server.
The vulnerability has also been picked up by developers working on the Metasploit exploit framework, and an early version of a module exploiting the zero-day has already been created.
Updated at 8.57 a.m. on Tuesday September 18, 2012 AEST (3:57 p.m. on Monday September 17, 2012 PT): Clarified that IE9 is vulnerable.