Microsoft issued an advisory late Wednesday warning customers of new attacks against a zero-day vulnerability in Internet Explorer.
Chinese security researchers may have mistakenly released the code to exploit the flaw. Verisign's iDefense released an advisory explaining that the Chinese Knownsec security team admitted the mistake.The software giant said in its advisory that the attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1 and Windows Server 2008. The vulnerability could be exploited by an attacker to gain the same user rights as the local user.
Microsoft has recommended steps to limit the risk until a patch is made available. Using protected mode in IE 7 limits the threat. The browser should also be running in Enhanced Security Mode, Microsoft said.
Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC), did not rule out an out-of-cycle patch to correct the flaw, he wrote in the MSRC blog.
"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers," Sisk said. "This may include providing a security update through our monthly release or out-of-cycle, if necessary."
Researchers said the attack attempts to exploit a vulnerability in the way IE processes XML.
"The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic "0x0A0A" value in it," Elia Florio, a security researcher at Symantec, wrote in a Symantec blog entry.
Florio said Symantec traced the attacks back to "Chinese domains and websites, which are used by the exploit to install and download additional malicious code components."
Symantec released both antivirus and IPS signatures to protect against the exploit.
Wolfgang Kandek, chief technology officer of patch management vendor Qualys Inc., said the browser is by far the biggest attack vector. Both Mozilla and Opera are moving ahead by implementing automatic patching to protect customers, he said. Microsoft continues to patch from the OS level.
"It is more reliable for an attacker to exploit a server vulnerability (after all, there is no human intervention required), but today the Web browser is the "killer application" that everybody uses," Kandek said. "Patching for browsers should be immediate and continuous and be removed from the OS level and included in the browser itself."
The IE 7 flaw is the second zero-day acknowledged by Microsoft this week. The software giant issued an advisory Tuesday warning customers of vulnerability in the Wordpad Converter for Word 97 files affecting Windows 2000 SP4, Windows XP SP2 and Windows Server 2003 SP1 and SP2. In order to exploit the flaw, an attacker must trick a user into opening an attachment that is sent in an email. A successful attack could give the attacker the same user rights as the local user.