A zero-day exploit targeting an Internet Explorer (versions 5 and forward) vulnerability is being used to install a Trojan on vulnerable systems. Experts warn that it's only a prelude to a series of attacks that are likely to be highly successful.
"This zero-day exploit is huge. It will likely be a major and highly successful, vector of attack upon thousands of computers for some time," says Ken Dunham, malicious code intelligence manager at iDEFENSE. "We have verified that attackers are installing backdoor Trojans and dialers on targeted computers at will."
"Multiple examples of the exploit code are available for attackers to analyze and use in crafting their own attack," adds Dunham. "This type of code availability and underground activity traditionally foreshadows a flurry of malicious attacks."
Microsoft first issued a patch for the "object type" vulnerability on Aug. 20. The flaw allows an attacker to compromise a system by embedding malicious code in a Web page. If the Web page is viewed with a fully patched IE browser, the malicious code embedded in the Web page will execute. The "object type" vulnerability patch doesn't prevent this variation of the flaw, but Microsoft plans to issue a fix shortly.
"Microsoft is investigating reports of a malicious Web site that exploits a variation on a vulnerability originally patched in MS03-032," said a Microsoft spokesman. "While we will release a fix for this variation shortly, users can help protect against this newly reported issue by changing their IE Internet security zone settings to prompt them before running ActiveX components. MSO3-032 has been updated to included steps for customizing IE security settings."
Unlike some other vulnerabilities, this one requires no user interaction.
"This isn't a training issue where users are told not to accept certain certificates or controls," says Dunham. "If a computer is vulnerable it will be infected without any user interaction other than simply surfing the Internet."
FOR MORE INFORMATION:
FEEDBACK: How do you prioritize deployment of critical Windows patches in your enterprise?
Send your feedback to the SearchSecurity.com news team.