Unpatched security vulnerability in Internet Explorer 7 is being actively exploited 
(12/12/2008)
An unpatched security vulnerability in Internet Explorer v7 is being actively exploited in-the-wild. Worryingly, the successful exploit of this vulnerability allows attackers to control the infected computer and access any personal information without the user being aware.
The vulnerability centers on Internet Explorer’s handling of specially crafted XML tags which can leave the browser susceptible to a heap spray attack. In the attacks observed by ScanSafe, successful exploit would result in the installation of a data theft Trojan with autorun worm capabilities.
The timing of the release of the exploit appears to be a deliberate jab at Microsoft. On the second Tuesday of each month, dubbed “patch Tuesday”, Microsoft releases security updates for its products. On December 9th, Microsoft released 8 security patches to resolve a total of 28 vulnerabilities. Those patches do not address the IE7 zero-day flaw. Details of the IE7 exploit were reportedly released on December 6th and ScanSafe’s 24/7 scanners observed the first active exploit of zero-day on December 8th.
Mary Landesman, senior security researcher at ScanSafe, comments “Zero-day exploits involving any widely used software are particularly concerning. When it impacts a browser as widely used as Internet Explorer, it can have serious implications. Predictably, attackers were very quick to add the IE7 exploit to their tool kit and we anticipate these attacks will escalate over the coming weeks.”
In addition, two other zero-day vulnerabilities have been discovered. One impacts Microsoft SQL Server 2000 and is alleged to be remotely exploitable via SQL injection attacks. Alarmingly, unlike typical SQL injection attacks which pose the greatest risk to site visitors, this particular attack would directly impact the server as well. A third zero-day vulnerability has been reported in WordPad’s text conversion feature.
Microsoft has reported that there are “targeted attacks seeking to exploit this vulnerability” and has released Microsoft Security Advisory 960906 in response to the discovery.
Related topics: Application and software security Computer and PC Security Hacking and intrusion prevention Internet and Web security Virus, Worm, Email security, spyware and malware
Print version | 
Email to a friend | 
Related articles
Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.
Other Security news and resources
Security News
Suppliers Directory
Jobs forum
Classifieds
Knowledge base
White papers
Research library
Security books
Special reports
Security interviews
Security companies
Security events
Security links
Security market
Product channels
Access Control Biometrics CCTV Intruder Alarms IT Security Manned Guarding Perimeter Protection Physical Security Remote Monitoring Security Services Fire, Health & Safety Other Security Products
IT Security white papers and research library
Access Control Authentication Data Management Data Security Digital Signatures Email Security Identity Management Internet Security Intrusion Prevention Network Security Remote access security Security Management Security Policies Security Software Security Threats Virus Detection Software Virus Protection VPN Vulnerability Assessment Wireless Security
Security books, guides, standards and toolkits
RFID and Smart Cards books, guides and reference documents Biometric books, guides and reference documents CCTV books, guides and reference documents Intruder alarms and intrusion detection systems books, guides and reference documents Monitoring and surveillance books, guides and reference documents IT Governance, ISO 27001 ISO 17799 and BS 7799 toolkits Fire, Health & Safety books, guides and reference documents
