ALERT: IE7 Zero Day security exploit
Update: Attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Windows Internet Explorer 5.01 Service Pack 4, Windows Internet Explorer 6 Service pack 1, Windows Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported version of Microsoft Windows are potentially vulnerable.
WebSense reports that a Taiwanese search engine "look.tw" has been compromised and is using the IE7 Zero Day security exploit to infect site visitors with malicious code (specifically, it tries to download a file called "ieupdate.exe").
The Microsoft Malware Protection Centre reports that they have detected "several hundred" html pages hosting the exploit, albeit on Chinese domains.
I especially want to highlight this warning on the MMPC page:
"This issue could impact you even if you avoid surfing questionable sites. Over the past few months, we've seen a surge in SQL injection attacks which enable miscreants to inject content onto trusted sites (we even blogged about the technique a few months ago). This class of attack, along with other more classical forms of website intrusion mean that even trusted sites can end up serving malicious content causing you to get infected."
Microsoft has issued a security bulletin about the security exploit, which can be found here:
Important things to note (updated):
- IE7 and IE8 on Vista **with protected mode enabled** provides some protection from the exploit (I'm not willing to say that the protection is definitive and all-encompassing, after all, MS hasn't said so either - but it sure as heck is an effective defense) - so, those of you who have turned off UAC (thereby losing Protected Mode) or who have turned off Protected Mode via IE7's dialogues, are at greater risk.
- Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in Enhanced Security Configuration, which reduces risk (if this applies to you, what the heck are you doing surfing the internet via your server anyway??)
Options for minimizing risk (updated to refer direct to MS):
Why is this vulnerability being exploited? Because it was made public in a Chinese language discussion forum by a group calling themselves the "Knownsec team". The irresponsible disclosure was picked up by PCWorld, reported on, and reports spread from there. I will never understand why some think that winning "we were first/guess what we found/cool we get publicity" bragging rights is more important than protecting the security of internet users.
Update: Computerworld reports that Knownsec is claiming that their release of the code was a mistake that occurred because they thought the exploit had already been patched.