Microsoft is warning customers that ongoing zero-day attacks against a flaw in Internet Explorer 7 now affect all versions of the Web browser.
Earlier attacks were only targeting IE 7, but the underlying vulnerability, an error in the way the browser processes XML, affects all currently supported versions of IE. Security experts are warning that the threat is serious because the vulnerability could be exploited by an attacker to gain the same user rights as the local user, and ultimately gain access to sensitive data.
"Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems," Christopher Budd, security response communications lead for Microsoft, wrote on the Microsoft Security Response Center (MSRC) blog.
In the updated advisory, Microsoft recommends setting the Internet zone security setting to high and using ACLs to disable Ole32db.dll. The change should lower the threat until a patch is released, Budd said.
Earlier this week, Verisign's iDefense security group said a group of Chinese security researchers may have mistakenly released the code in the wild. The exploit is being tied to the Chinese Knownsec security team, which admitted the mistake in a blog post.
Danish vulnerability clearinghouse Secunia has given the flaw an extremely critical rating because the flaw is being actively exploited.
In a McAfee Avert Labs blog post, security researchers Geok Meng Ong and Xiaobo Chen explained how the exploit contains a downloader that installs malware onto a victim's machine.
"We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system," the researchers said. "The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution."
The zero-day was discovered just a day after Microsoft issued eight security bulletins to repair 28 flaws in its product line, including several serious flaws in Internet Explorer. Bulletin MS08-073 addresses memory corruption errors in the way IE handles certain navigation methods. Microsoft gave the flaws a "1" on its Exploitability Index, warning that consistent exploit code is likely in the wild.