Internet Explorer suffers from zero-day vulnerability

Recent patches from Microsoft have failed to protect against a zero-day vulnerability.

 

Several websites have been found to be rigged with a malicious JavaScript, which targets Internet Explorer 7. If exploited, it triggers a series of redirections to multiple URLs and finally connects to one of several different domains.

 

Trend Micro reported that the toolkit related to this exploit is reportedly being sold in the China underground community. This is quite logical, since TSPY_ONLINEG variants are notorious information stealers - particularly stealing credentials related to online games, which in turn are very popular in China. It also claimed that the recently discovered flaw remains unpatched by Microsoft.

 

Microsoft has advised users to guard against the flaw. A security advisory from Microsoft said its researchers were ‘actively investigating the vulnerability,' which had not been widely exploited by hackers so far.

 

It said: “On completion of this investigation, Microsoft will take the appropriate action to protect our customers. At this time, we are aware only of limited attacks that attempt to use this vulnerability; they are not successful against customers who have applied the workarounds listed. Setting the level to high may cause some websites to work incorrectly.”

 

Microsoft spokesman Christopher Budd said that, if necessary, the company would issue a special ‘out of cycle' patch for the vulnerability, ‘depending on customer needs'.

Sign up to our newsletters