November 03, 2010

New Internet Explorer bug found in the wild

Attackers recently leveraged a zero-day vulnerability in Internet Explorer (IE) as part of a targeted email campaign that tried to trick users into following a link to a legitimate website infected with malware, researchers at Symantec said Wednesday.

The vulnerability, revealed in an advisory by Microsoft, affects all supported versions of IE. Jerry Bryant, group manager of response communications at Microsoft's Trustworthy Computing Group, said Wednesday that the software giant is not aware of any affected customers.

An exploit that tried to take advantage of the flaw showed up on a credible website but since has been removed, Bryant said in a blog post. He did not name the victim site.

Symantec researcher Vikram Thakur said in a blog post that several days ago, engineers learned that a "select group of individuals" were targeted through fraudulent emails seeking to confirm hotel room reservations.

The body of the messages contained a link, which pointed to the page of a legitimate website that contained a script designed to learn which browser and operating system versions the victims were running. If they were using IE 6 and 7, the script automatically directed them to a drive-by download page. Otherwise, it took them to a blank page.

"Visitors who were served the exploit page didn't realize it but went on to download and run a piece of malware on their computer without any interaction at all," Thakur wrote. "The vulnerability allowed for any remote program to be executed without the end user's notice."

Symantec researchers discovered that despite many employees being targeted globally, few victims actually accessed the malware file, which means most were using a browser other than IE 6 or 7.

Thakur also did not name the compromised site but said it was taken down a short time after Symantec notified Microsoft of the threat.

The Microsoft advisory contains a workaround that IT administrators are recommended to follow.

In addition, IE 8, the latest version, contains Data Execution Prevention safeguards, which likely will protect users from an exploit.

Related Articles
Related Topics

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.