Internet Explorer 7 is being attacked by hackers following the discovery of a critical vulnerability.
Trend Micro claimed that it arises from the browser's improper handling of errors when attempting to access deleted objects, and allows remote attackers to execute arbitrary codes on a vulnerable machine.
Technical communications spokesperson Jake Soriano, claimed that the threat starts with a spammed malicious .DOC file that it has detected as XML_DLOADR.A.
He said: “This file has a very limited distribution script, suggesting it may be a targeted attack. It contains an ActiveX object that automatically accesses a site rigged with a malicious HTML detected by the Trend Micro Smart Protection Network as HTML_DLOADER.AS.
“HTML_DLOADER.AS exploits the CVE-2009-0075 vulnerability, which is already addressed by the MS09-002 security patch released last week. On an unpatched system though, successful exploitation by HTML_DLOADER.AS downloads a backdoor detected as BKDR_AGENT.XZMS. This backdoor further installs a .DLL file that has information stealing capabilities. It sends its stolen information to another URL via port 443.”
Bojan Zdrnja, a handler at the Sans Internet Storm Center, said: “Initially there was some confusion about this attack as most AV vendors mentioned Word documents. The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document. That being said; there is absolutely nothing preventing attackers from using the exploit in a drive-by attack (and we can, unfortunately, expect that this will happen very soon).
“As the MS09-002 patch has only been released a week ago, it's clear that the attacker reverse engineered the patch to create the exploit (especially since the vulnerability has been initially reported by ZDI to Microsoft in September last year). So, check your client machines and make sure that you are patched!”