Attackers are already exploiting a bug in Internet Explorer 7 that Microsoft Corp. patched just last week, security researchers warned today.
Although the attacks are currently in “very, very small numbers,” they may be just the forerunner of a larger campaign, said Jamz Yaneza, threat research manager at Trend Micro Inc. “I see this as a proof-of-concept,” said Yaneza, who noted that the exploit's payload is extremely straightforward and explained that there has been no attempt to mask it by, say, planting a root kit on the victimized PC at the same time.
“I wouldn't be surprised to see this [exploit] show up in one of those Chinese exploit kits,” he added.
The new attack code, which Trend Micro dubbed “XML_Dloadr.a,” arrives in a spam message as a malicious file masquerading as a Microsoft Word document. If the fake document is opened, the exploit hijacks PCs that have not been patched with the MS09-002 security update Microsoft issued last Tuesday as part of its eight-patch February batch of fixes.
That update, which plugged two holes in IE7, was rated “critical” by Microsoft at the time.
“We first saw this over the weekend,” said Paul Ferguson, an advanced threat researcher at Trend Micro. “But we're not sure if it's just a targeted attack or they're staging for something larger. It's hard to tell at the moment.”
It's not unusual for hackers to swing into action with a new exploit only days after Microsoft has patched a previously-unknown vulnerability. “They know it takes users a while to patch,” Ferguson added. “Even months after Microsoft patched, the Conficker worm was still able to infect millions of PCs because of lousy patching. That's not lost on the bad guys.”
The “Conficker” worm, also known as “Downadup,” continues to compromise millions of machines daily, even though, as Ferguson noted, Microsoft patched the vulnerability exploited by the worm nearly four months ago.
Yaneza and Ferguson speculated that the current attacks are precursors to a much larger assault that will revive a campaign that tempted users with news about Tibet. Those attacks, which Trend Micro reported in January 2008, share some characteristics with the newest exploits, including malware disguised as Word documents. Yaneza also said that it appears as though the hacker's command-and-control server is based in China, lending more credence to their theory.
“This is the 50th anniversary of the Tibetan freedom movement,” said Ferguson, who said it's likely that a large-scale attack based on this exploit would use that news as bait. In 1959, when the People's Republic of China took full control of Tibet, the Dali Lama fled to India, where he is the head of a Tibetan government-in-exile.
One security expert has called on Microsoft to sever the links between IE and Windows to better protect users from attack. According to Wolfgang Kandek, the chief technology officer at Qualys Inc., people plug IE holes no faster than other critical Microsoft vulnerabilities, something that might change if Microsoft split the browser from the operating system and increased the frequency of its IE patches.