Nov 17, 2010 09:50 GMT  ·  By

Security researchers feel that Microsoft should release an out-of-band patch to address an actively exploited Internet Explorer vulnerability, after an exploit for it has been added to the Eleonore drive-by download toolkit.

The vulnerability, identified as CVE-2010-3962, was discovered in the wild at the beginning of the month by security researchers from Symantec.

Initially, it was exploited in a limited email-based attack which targeted key people in various organizations by directing them to a rigged Web page.

Microsoft responded by publishing an advisory and providing workaround instructions. According to the company, Internet Explorer 6, 7 and 8 on all Windows versions are affected, but their exploitability index varies.

For example, default installations of Internet Explorer 8, which comes with Data Execution Prevention (DEP) enabled, are unlikely to be exploited successfully.

The original attack targeted only IE 6 and IE 7 users, but even under those circumstances, the exploit was not very reliable.

However, a few days later, security vendor FireEye reported an improved attack that was likely instrumented by the same perpetrators.

Because the vulnerability was discovered shortly before this month's Patch Tuesday, Microsoft did not have enough time to prepare a fix and get it out.

The company's options are now to wait for the next patch cycle on December 7 or push out an out-of-band IE update.

The second solution is favored by security researchers, especially after an exploit for the flaw made its way into new Eleonore versions last week.

Eleonore is a very popular drive-by download toolkit, which is available for purchase on the underground market and can be used to infect users with malware by exploiting vulnerabilities in popular applications.

"This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working 0-day. "What this means to Microsoft, is that they should consider issuing an out-of-band patch," said Roger Thompson, chief research officer at antivirus vendor AVG.