Researchers have uncovered new, currently unpatched vulnerabilities in multiple versions of Internet Explorer that criminals are actively exploiting to surreptitiously execute unusually advanced malware on computers that visit booby-trapped websites.

The vulnerabilities in various configurations of IE versions 7, 8, 9, and 10 running on Windows XP and Windows 7 are separate from the Microsoft Windows and Office graphics flaw that's also under active exploit at the moment. According to researchers at security firm FireEye, the IE-targeted exploits arrive as a classic drive-by attack that's found on at least one breached website located in the US.

The attacks are able to bypass security protections Microsoft engineers have gradually added to later versions of their software. The exploits appear to circumvent the measures, at least in part, by exploiting at least two separate flaws. One flaw allows attackers to access and control computer memory, and another leaks system information needed to capitalize on the first bug."The memory access vulnerability is designed to work on Windows XP with IE 7 and 8 and on Windows 7," FireEye researchers Xiaobo Chen and Dan Caselden wrote in a post published Friday . "The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages. Based on our analysis, the vulnerability affects IE 7, 8, 9 and 10."

Early analysis suggests the two vulnerabilities work only against machines running IE 8 on XP and IE 9 running on Windows 7. The research into the attacks is in extremely early stages, so it wouldn't be surprising for the range of vulnerable systems to be wider once more analysis has been done.

An "exceptionally accomplished and elusive" attack

Update: Shortly after Ars published an earlier version of this article on Sunday, FireEye posted a newer analysis of the attack indicating it's part of an unusually sophisticated advanced persistent threat (APT). The attackers embedded the exploit code directly "into a strategically important website, known to draw visitors that are likely interested in national and international security policy," the researchers wrote. The attacks rely on some of the same command and control servers used in a previous APT campaign known as Operation DeputyDog.

Also setting the newly discovered attacks apart from other malware campaigns is the malicious payload that gets installed. Although it's a variant of the previously seen trojan alternately dubbed Hydraq, McRat or Trojan.APT.9002, the new payload runs solely in memory. It doesn't ever write itself to disk, a trait that leaves few to no artifacts for security defenders or forensic investigators to identify infected computers.

"Specifically, the payload is shellcode, which is decoded and directly injected into memory after successful exploitation via a series of steps," the FireEye researchers wrote in the latest post. They went on to write: "By utilizing strategic Web compromises along with in-memory payload delivery tactics and multiple nested methods of obfuscation, this campaign has proven to be exceptionally accomplished and elusive."

As is often the case, the attacks can be blocked by installing the latest version of Microsoft EMET, short for the Enhanced Mitigation Experience Toolkit. Members of Microsoft's security response team have not yet commented on the report, although they are likely to do so soon. Microsoft representatives contacted by Ars said members of the company's security team are still looking in to the report.

FireEye didn't elaborate on the US-based website that was hosting the drive-by exploit, except to describe it as "breached," meaning the attackers were able to take control of it and cause it to attack people who visited it. Based on the description of the exploit and its ability to bypass defenses Microsoft engineers have built into newer versions of IE and Windows, there's reason to believe the attackers put a fair amount of time and skill into their work. Among other things, the attack code exploits a "new information leakage vulnerability and an IE out-of-bounds memory access vulnerability" so it can force computers to execute malicious code.

"The information leak uses a very interesting vulnerability to retrieve the timestamp from the [program executable] headers of msvcrt.dll," the FireEye researchers explained. "The timestamp is sent back to the attacker's server to choose the exploit with a ROP chain specific to that version of msvcrt.dll. This vulnerability affects Windows XP with IE 8 and Windows 7 with IE 9."

ROP is short for "return oriented programming," a technique that repackages benevolent code found in an exploited application in a way that gives it new, malicious capabilities. Attackers use ROP chains to bypass data execution prevention, a security mitigation added to most Microsoft applications in the past seven or so years. It prevents most data loaded into memory from being executed.

With the active circulation of at least two attacks that successfully exploit unpatched or only temporarily patched vulnerabilities in widely used Microsoft software titles, readers would do well to remain on guard. Those who haven't already installed the temporary fix for the earlier-reported TIFF image rendering bug should do so immediately. Users should also upgrade to versions 7 or 8 of Windows and run version 11 of IE. EMET is also a worthwhile mitigation, as is using a browser other than IE whenever possible until more is known about the scope of the attacks.