Microsoft Investigating Reports of New IE7 Exploit

Importatnt Update!!!

Microsoft has released a Security Update to IE7 check it out here!

Microsoft said it is investigating reports that a new exploit is going around that takes advantage of an unpatched security hole in Internet Explorer 7.

The SANS Internet Storm Center, which tracks hacking trends, said today that while the exploit does not appear to be widely in use at the moment, that situation is likely to change soon, since instructions showing criminals how to take advantage of this flaw have been posted online.

SANS emphasizes that this vulnerability is not one that was fixed in the massive bundle of patches that Microsoft issued yesterday. It is not clear what steps users can take to protect themselves against this threat, other than to browse the Web with something other than IE, such as Mozilla Firefox or Opera. This appears to be the type of vulnerability that could be used to give attackers complete control over an affected system merely by convincing users to browse to a specially-crafted hacked or malicious Web site.

According to SANS, the exploit works against fully-patched Windows XP and Windows 2003 systems with Internet Explorer 7.

In a statement e-mailed to Security Fix, Microsoft said once it is done with its investigation, the company "will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."

The remainder of Microsoft's statement reads:

"Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov.

Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at: www.microsoft.com/protect."

Security Fix will continue to keep a close eye on this investigation as it unfolds.

Update, 7:12 p.m. ET: Security volunteer-led group Shadowserver.org has released details about the dozens of Chinese domains being used to serve up this exploit (I hope it goes without saying: Don't visit any of the domains listed at the Shadowserver writeup).

Reston, Va. based security firm iDefense tonight published further details that suggest this exploit was accidentally released by "knownsec," a Chinese information security team that apparently thought the vulnerability had already been patched by Microsoft. The advisory suggests this exploit has been known and actively used by attackers since October.

From iDefense's advisory (PDF):

"According to knownsec, earlier this year a rumor emerged in the Chinese underground about an IE7 vulnerability and in October it began to be traded privately. In November it got into underground black market and was traded for about $15K. Later in December, it emerged and people sold the exploit second or third hand for about $650. Finally, someone purchased those second hand exploits to develop and deploy a Chinese gaming Trojan."

Perhaps the inadvertent disclosure of this flaw is why Microsoft included in its statement today the following tidbit:

"To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. By reporting vulnerabilities directly to a vendor, it helps ensure that customers receive comprehensive, high-quality updates while reducing the risk of attack."

Update, Dec. 11, 10:04 a.m. ET: Microsoft has officially acknowledged this vulnerability. It issued this security advisory late last night.

Update, Dec. 12, 1:04 a.m. ET: Microsoft has revised its security advisory about this vulnerability, saying it affects all supported versions of Internet Explorer, not just version 7. There are indications that a large number of legitimate, hacked Web sites are being seeded with this exploit code through SQL injection vulnerabilities. I would strongly advise readers to avoid surfing the Web with IE at least until Microsoft has patched this flaw. If Microsoft sticks to its regular schedule of issuing updates to fix security flaws on the second Tuesday of each month, that means that unless Redmond deviates from that schedule, the earliest we can expect a patch for this flaw is Jan. 13, 2009.