Attackers recently leveraged a zero-day vulnerability in Internet Explorer (IE) as part of a targeted email campaign that tried to trick users into following a link to a legitimate website infected with malware, researchers at Symantec said Wednesday.
The vulnerability, revealed in an advisory by Microsoft, affects all supported versions of IE. Jerry Bryant, group manager of response communications at Microsoft’s Trustworthy Computing Group, said Wednesday that the software giant is not aware of any affected customers.
An exploit that tried to take advantage of the flaw showed up on a credible website but since has been removed, Bryant said in a blog post. He did not name the victim site.
Symantec researcher Vikram Thakur said in a blog post that several days ago, engineers learned that a “select group of individuals” were targeted through fraudulent emails seeking to confirm hotel room reservations.
The body of the messages contained a link, which pointed to the page of a legitimate website that contained a script designed to learn which browser and operating system versions the victims were running. If they were using IE 6 and 7, the script automatically directed them to a drive-by download page. Otherwise, it took them to a blank page.
“Visitors who were served the exploit page didn’t realize it but went on to download and run a piece of malware on their computer without any interaction at all,” Thakur wrote. “The vulnerability allowed for any remote program to be executed without the end user’s notice.”
Symantec researchers discovered that despite many employees being targeted globally, few victims actually accessed the malware file, which means most were using a browser other than IE 6 or 7.
Thakur also did not name the compromised site but said it was taken down a short time after Symantec notified Microsoft of the threat.
The Microsoft advisory contains a workaround that IT administrators are recommended to follow.
In addition, IE 8, the latest version, contains Data Execution Prevention safeguards, which likely will protect users from an exploit.