Updated March 30 with additional attack details from McAfee Inc. and on a third-part patch offered by eEye.
Attackers are using a new, unpatched flaw in Internet Explorer to compromise machines running a number of versions of Windows, including Vista. Microsoft Corp. confirmed the attacks Thursday in an
Aliso Viejo, Calif.-based eEye Digital Security announced on its zero-day tracker that it has come up with a temporary fix.
"The temporary patch mitigates this vulnerability by preventing cursors from being loaded outside of %SystemRoot%," eEye said. "This disallows Web sites from loading their own, potentially malicious animated icons, while causing little to no business disruption on hosts with the patch installed."
Microsoft confirmed the existence of the zero-day flaw Thursday.
"Microsoft is investigating new public reports of targeted attacks exploiting a vulnerability in the way Windows handles animated cursor (.ani) files," the company said in its advisory. "In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted email message or email attachment sent to them by an attacker."
The French Security Incident Response Team (FrSIRT) said in an advisory that the problem is a memory corruption error that surfaces when the operating system renders malformed cursors, animated cursors or icons. Attackers could exploit this to run malicious commands on a victim's machine. The flaw affects:
- Windows 2000 Service Pack 4
- Windows XP Service Pack 2
- Windows XP 64-Bit Edition Version 2003 (Itanium)
- Windows XP Professional x64 Edition
- Windows Server 2003
- Windows Server 2003 (Itanium)
- Windows Server 2003 Service Pack 1
- Windows Server 2003 SP1 (Itanium)
- Windows Server 2003 x64 Edition
- Windows Vista
- Internet Explorer 6
- Internet Explorer 7
"As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources," Microsoft said, adding that Windows Live OneCare's safety scanner has been updated to remove any malware that exploits the flaw.
Craig Schmugar of McAfee Inc.'s Avert Labs said in a blog posting that the lab has received a sample of one piece of malware that targets the flaw.
"Preliminary tests demonstrate that Internet Explorer 6 and 7 running on a fully patched Windows XP SP2 are vulnerable to this attack," he wrote. "Windows XP SP0 and SP1 do not appear to be vulnerable, nor does Firefox 2.0. Exploitation happens completely silently.
He said it's likely similar exploits targeting the flaw are currently being used in other attacks on the Web.
Microsoft acknowledged last week that it's investigating reports of another flaw in Vista.
That flaw reportedly affects Windows Mail on all versions of Vista. Cupertino, Calif.-based antivirus giant Symantec Corp. said attackers could potentially exploit a design flaw to delete files or shut down the victim's computer.