Attacks exploiting a critical unpatched Windows vulnerability were today linked to Chinese hackers.eEye Digital Security released a third-party patch today for the flaw, which can be attacked through any website, email or content that contains an animated cursor.
If successful, an attack can allow a malicious user to run arbitrary code on a user’s system.
Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said today that exploitations were becoming more common early today.
Attacks can be linked back to hostile servers in China, Dunham said.
"Attacks to date attempt to install malicious code, including Nuclear and Nimoret malicious codes. Exploitation in the wild is limited to just Windows XP Service Pack 2 and Internet Explorer 6 and 7. iDefense independent lab tests proved that trivial modification is all that’s required to update both the payload and functionality on multiple operating system builds," he said. "Attacks are largely being launched from Chinese servers. iDefense has correlated this attack back to the Chinese Evil Octal forum and to attacks formerly launched by a group using SQL injection to compromise servers in order to host iFrame links pointing back to exploits hosted on Chinese servers."
Secunia today ranked the flaw as "extremely critical," meaning it can be exploited from remote to run arbitrary code and malicious code is in the wild. The Danish firm credited Determina with discovering the flaw.
Microsoft confirmed the flaw Thursday in an advisory.
In a Thursday post on the Microsoft Security Response Center blog, researcher Adrian Stone said attacks appeared "to be targeted and not widespread," adding that Redmond was monitoring the attacks.
It was unknown today whether Microsoft would release an out-of-cycle fix for the flaw before its April 10 Patch Tuesday release.
The eEye Research Team said on its blog today said the vulnerability presents numerous opportunities for malicious users to attack users.
"This zero-day vulnerability represents one of the most potent zero-days recorded by the Zero-Day Tracker," the researchers said. "Since the vulnerability lies within Windows and is exposed by countless applications, exploit vectors are plentiful for attackers to launch reliable attacks against user32.dll."
Researchers warned today that configuring email clients for plain text would not fully protect against the exploits.
"Blocking all types of email attachments may be required to successfully trap any .ani files that may be disguised within other file types, such as .jpg," said Dunham.
Switching to text-only configuration may actually help the bad guys, said handler Swa Frantzen of the SANS Internet Storm Center.
"The surprising element is that read-in-plain-text mode makes some of the clients more vulnerable and actually only offers real added value," he said on the organisation’s blog.