Patch/Configuration Management, Vulnerability Management

New zero-day exploits for Internet Explorer in the wild

As IT administrators grapple with the unpatched vector markup language (VML) vulnerability, a team of security experts at Sunbelt Software today reported a new zero-day exploit affecting Microsoft's Internet Explorer (IE) and requiring no user initiation.

Researchers discovered two pornographic websites hosting the new, in-the-wild exploit, caused by a buffer overflow impacting the DirectAnimation Path ActiveX control, Eric Sites, Sunbelt's vice president of research and development, told today.

Proof-of-concept code for the bug was first published Sept. 13 on two hacker websites, but the exploits did not appear until today, he said. The exploit causes a fully patched IE to crash and installs malware, including password-stealing backdoor trojans.

"It affects anyone running the internet," said Sites. "It can download anything to your machine just by going to a website."

Meanwhile, administrators are anxiously awaiting an official fix for the VML exploit. Payload includes the installation of financially motivated malware, such as keyloggers and spyware software.

At least 2,000 domains have been hijacked to redirect users to infected websites, Ken Dunham, director of the VeriSign iDefense's Rapid Response Team, said this afternoon.

Sites said about 15,000 domains have been exploited by VML.

A Microsoft spokesman could not immediately be reached for comment today. However, company researcher Scott Deacon said on the Microsoft Security Response Center blog on Friday, "Attacks remain limited. There's been some confusion about that, that somehow attacks are dramatic and widespread. We're just not seeing that from our data."

The newly formed Zeroday Emergency Response Team (ZERT) has released a temporary fix for the VML exploit, again raising the debate over third-party patches.

Sites suggests the ZERT fix as an option. For the exploit discovered today, he suggests users run an alternate web browser, such as Mozilla's Firefox, as the number of exploited sites should continue to grow, especially if Microsoft releases an out-of-cycle patch for the VML exploit.

"We've got two of them out there," Sites said. "This is making it very hairy to be on the internet and just surfing around."

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.