The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
According to Symantec's Vikram Thakur, the IE flaw is being used in a blended attack that combines social engineering (well-tailored e-mail lures) and drive-by downloads to load a backdoor Trojan on infected computers.
Thakur said the hackers sent e-mails to a select group of individuals within targeted organizations. "Within the e-mail the perpetrators added a link to a specific page hosted on an otherwise legitimate website. The hackers had gotten access to the website account and uploaded content without the owners knowing," he explained.
He said the the link pointed to a page which contained a script looking to see what OS/browser combination the target was using. "Since the specific exploit page only worked when someone was using Internet Explorer 6 and 7, the script only transferred the visitor to the page hosting the exploit when this condition was met. In other cases the users didn't see anything but a blank website," Thakur said.
Although the exploit is geared towards IE 6 and IE 7 users, Microsoft makes it clear the vulnerability also affects IE 8 on all supported versions of Windows.
Visitors who were served the exploit page didn't realize it, but went on to download and run a piece of malware on their computer without any interaction at all. The vulnerability allowed for any remote program to be executed without the end user's notice. Once infected, the malware set itself to start up with the computer, along with a service named 'NetWare Workstation'. The piece of malware opens a backdoor on the computer and then contacts remote servers. It tries to contact a specific server hosted in Poland for small files named with a .gif extension. These small files are actually encrypted files with commands telling the Trojan what to do next.
Microsoft says Internet Explorer 9 Beta users are not affected by this issue.
Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of IE8 are unlikely to be exploited by this issue. This is due to the defense in depth protections offered by Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms.
In the absence of a patch, Microsoft recommends that IE users:
Override the Web site CSS style with a user defined CSS
Deploy the Enhanced Mitigation Experience Toolkit
Enable Data Execution Prevention (DEP) for Internet Explorer 7
Read e-mails in plain text
Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones