14 DAY TRIAL // A critical Internet Explorer vulnerability patched by Microsoft last week is being exploited targeted attacks launched from websites that infect computers with malware.
The vulnerability, identified as CVE-2011-1255, affects Internet Explorer versions 6, 7, and 8, running on all supported Windows operating systems.
It was patched along with ten other IE security flaws as part of Microsoft's MS11-050 Security Bulletin released on June 14.
"A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted.
"The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user," Microsoft explains.
Symantec reports that the flaw has been exploited in limited attacks launched from compromised websites. "We have been able to confirm the existence of one such attack that involves a compromised website hosting content for a neighborhood restaurant. "It appears that a duplicate of the top page of the website was either hacked to include a hidden iframe tag linking to an exploit page or was prepared from scratch, which, if run successfully, the included shell code downloads an encrypted malicious file from the same site," the Symantec researchers note.
The malware connects to a command and control server hosted on 3322.org via the HTTP protocol and awaits for commands. The Symantec experts believe that links to the compromise website or websites are being distributed via targeted emails.
The vulnerability was reported privately to Microsoft by an anonymous researcher through VeriSign iDefense Labs, which means the attackers probably reverse-engineered the patch after it was released. This technique is not very common as most targeted attacks use zero-days to increase their chances.
Users and companies are strongly encouraged to apply the patch for the vulnerability, as well as the other security updates that Microsoft released for Internet Explorer last week.