According to a blog post by security specialist Eric Romang, a security hole in Microsoft's Internet Explorer web browser is being used by cyber criminals to infect computers with malware. The vulnerability, which was apparently unknown and unpatched until now, seems to hinge on how IE handles <img> arrays in HTML files. So far, the attackers have only targeted versions 7 and 8 of IE on fully patched Windows XP SP3 systems; it is not yet certain whether the exploit can be used with other software combinations.

Romang discovered the code on a server that is apparently being used for targeted attacks by the Chinese hacker group known as the Nitro gang. The first exploit for the critical Java vulnerability that Oracle fixed with an emergency patch late last month was also found on a server that seems to be linked to the Nitro gang.

In the current attack, a specially prepared web page executes a Flash applet that uses heap spraying to distribute shellcode in the system memory. It then reloads an iframe that uses the IE vulnerability to run the shellcode. According to an analysis from security firm Alien Vault, the remote administration tool (RAT) Poison Ivy is currently being distributed in this way in order to give the attackers complete access to the infected system.

Users running Internet Explorer can play it safe by switching to another web browser until it can be confirmed which combinations of browser and operating system are affected. Anyone can use the published details to put together an exploit, and a module for the Metasploit exploit framework is already underway. Microsoft has not yet issued a statement on the problem.

(crve)