Nov 4, 2010 09:33 GMT  ·  By

Symantec warns that a 0-day vulnerability, affecting stable versions of Internet Explorer, is being exploited in a sophisticated attack, which targets key people in various organizations.

The attack begins with fake emails posing as hotel reservation notifications. "About the hotel room, please take the attached list for booking [link]," part of the rogue messages read.

The link directs recipients to a page hosted on a compromised, but legitimate website, which checks their operating system and browser version.

Only users running Windows XP and Internet Explorer 6 or 7 get redirected to the exploits. Others are sent to a blank page.

Successful exploitation results in a trojan being installed on the computer. The malware registers itself as a service called "NetWare Workstation" and opens a backdoor.

It reports back to the attackers and downloads encrypted files with commands from a compromised server in Poland.

"Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations," Symantec researchers revealed.

"The files on this server had been accessed by people in lots of organizations in multiple industries across the globe," they added.

Microsoft has confirmed the existence of the vulnerability and has published a security advisory with mitigation instructions.

"Impacted versions include Internet Explorer 6, 7 and 8, although our ongoing investigation confirms that default installations of Internet Explorer 8 are unlikely to be exploited by this issue.

"This is due to the defense in depth protections offered from Data Execution Prevention (DEP), which is enabled by default in Internet Explorer 8 on all supported Windows platforms," Jerry Bryant, manager of response communications at Microsoft, explained.

Internet Explorer 9 Beta is not vulnerable and the company has since released a Fix It tool to help users appy the workaround until a permanent patch becomes available.