Hackers Target Patched Microsoft Internet Explorer 7 Vulnerability

 
 
By Brian Prince  |  Posted 2009-02-17
 
 
 

Hackers have begun actively targeting a vulnerability in Internet Explorer 7 that was patched earlier this month by Microsoft.

The bug cyber-criminals are looking to exploit is a remote code execution vulnerability that lies in the way Internet Explorer 7 handles errors when attempting to access deleted objects. According to Trend Micro, attackers are spamming a malicious .DOC file detected as X M L_DLOADR.A in a bid to infect unprotected users. 

"This file has a very limited distribution script, suggesting it may be a targeted attack," wrote Trend Micro's Jake Soriano, on the company's Malware Blog. "It contains an ActiveX object that automatically accesses a site rigged with a malicious HTML detected by the Trend Micro Smart Protection Network as HTML_DLOADER.AS."

On an unpatched system, successful exploitation by HTML_DLOADER.AS downloads a backdoor detected as BKDR_AGENT.XZMS. The backdoor in turn installs a .DLL file that steals data and sends it to another URL via Port 443, Soriano wrote.

During this month's Patch Tuesday, Microsoft also addressed a vulnerability in the way Internet Explorer handles CSS (Cascading Style Sheets). When IE displays a Web page that contains certain CSS styles, memory may be corrupted in such a way that an attacker could execute arbitrary code with the same rights as the logged-on user.

There was no word from Trend Micro as to whether this second issue was also being exploited.

Even with the rising popularity of rivals such as Firefox and Google Chrome, IE remains the most widely used-and targeted-Web browser. In December, Microsoft was forced to issue an out-of-band patch to ward off attempts by hackers to compromise users.

"Although the install base of the IE family is slowly eaten up by stiff competition such as Firefox and Chrome, IE7 is used by about one in every four Web users, a much larger share than previous versions of IE," Soriano wrote. "This could explain why cyber-criminals seem to be eagerly searching for more bugs. ... Users meanwhile are advised to patch now."


Rocket Fuel