James Delahunty
3 Nov 2010 22:22
A previously unknown Internet Explorer bug has been used in target attacked online, security researchers warned today.
An unidentified website has been breached by the unknown attackers, who injected code that can exploit a flaw in the Internet Explorer browser. The perpetrators sent e-mails to selected individuals who were part of targeted organizations, luring them to the hacked webpage.
If the user was running Internet Explorer 6, or Internet Explorer 7, they may have been infected with a backdoor trojan. No user intervention would have been required for the malware to be delivered if the flaw was exploted successfully. Internet Explorer 8 "might" be technically vulnerable to the flaw, but the browser's built-in Data Execution Protection (DEP) would cause the webpage to crash instead.
"Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations," Symantec reported. "The files on this server had been accessed by people in lots of organizations in multiple industries across the globe."
The flaw lies in IE's handing of Cascading Style Sheets. The browser under-allocates memory, allowing data to be overwritten in memory vtable pointers. This can allow an attacker to inject code and execute it.
Microsoft has not said when a patch will be made available for the flaw but it is not likely to be released out of cycle due to it being ineffective with Internet Explorer 8. For those running IE6 or IE7 who cannot update for any particular reason, there is always the Enhanced Mitigation Experience Toolkit (EMET) provided by Microsoft to help IT Professionals protect systems from common threats. EMET works by applying security mitigation technologies to arbitrary applications to block against exploitation through common attack vectors.