14 DAY TRIAL // Security researchers report that a remote code execution IE vulnerability was exploited in the wild before before being patched by Microsoft earlier this month.
The vulnerability, known as CVE-2011-1255, affects IE 6, 7, and 8 on all Windows versions and was fixed as part of Microsoft's MS11-050 Security Bulletin released on June 14.
Microsoft credited the vulnerability to an anonymous researcher who reported it through VeriSign's iDefense Labs.
"Based on data we have reviewed from various sources, we can say with a high level of certainty, that the anonymous researcher who according to Microsoft’s security advisory, reported the vulnerability details to VeriSign iDefense, or at least one of his acquaintances, had used the vulnerability details for malicious purposes, as part of targeted attacks," malware experts from M86 Security say.
The company discovered a compromised website injected with code that exploited this vulnerability prior to Microsoft fixing it.
It looks like the same server used to serve the payload in this attack was used last year to exploit a different 0-day IE vulnerability (CVE-2010-0806).
Because the attacker used an obfuscation method that relies on inserting shellcode in the DOM via a div element, the M86 researchers were able to use Google to discover over a dozen compromised websites serving this exploit.
It's very likely that this vulnerability will be included in drive-by download kits and exploited for some time to come. Symantec already reported attacks that targeted this vulnerability after Microsoft patched it.
The malware installed as a result of successful exploitation in Symantec's report is a trojan that connects to a remote server via HTTP and awaits for instructions.
Users and companies alike are urged to apply the patch for this vulnerability, as well as the other security updates Microsoft released for Internet Explorer this month.