Hackers have used a new "zero-day" vulnerability — a hole previously unknown to security researchers — in versions 7 and 8 of Microsoft's Internet Explorer browser to spread malware on computers running Windows XP Service Pack 3 and below. Further investigation by the developers of penetration testing tool Metasploit has demonstrated that the hole can also be exploited on computers running Internet Explorer 9 on Windows 7 or Windows Vista.
The attack uses a specially-crafted Flash animation
First pointed out by French researcher Eric Romang yesterday, the attack uses a specially-crafted Flash animation to drop a malware kit known as Poison Ivy on the target machine — as Ars Technica notes, it appears to be the work of the same gang responsible for exploiting a zero-day vulnerability in Java last month. Microsoft has issued an official advisory note acknowledging the problem and advising users to download its existing Enhanced Mitigation Experience Toolkit (EMET) to reduce the risk, but has not released a dedicated patch. It is not yet clear whether the company will wait until its next Patch Tuesday, October 9th, to provide a specific fix, as was the case with another IE9 vulnerability caught earlier this year.
With organizations including Germany's Federal Office for Information Security advising users to switch to browsers other than Internet Explorer until the problem is fixed, the vulnerability is likely to have an effect on the browser's short-term market share, and its ongoing battle with Google's Chrome. "For consumers it might be easier to simply click on Chrome," McAfee's threat intelligence director Dave Marcus tells Reuters.