Date:12.10.2008
Threat Type: Malicious Web Site / Malicious Code
Websense® Security Labs™ is currently monitoring the use of an unpatched vulnerability (0-day) in Microsoft Internet Explorer 7. No user interaction is necessary for the exploit to be successful. A computer may become infected by simply visiting a malicious Web site. This vulnerability exists in the way XML is processed within Internet Explorer 7. This zero day was first made public on a Chinese discussion forum one day before Microsoft shipped its December set of monthly patches.
The majority of the exploits that we analyzed download a malicious Trojan from Web sites that have been categorized by Websense since September of this year. This indicates that the exploit writers have been operating for some time. They may have purchased the exploit, or possibly discovered it on their own, and timed the attack to follow Microsoft’s regular patch cycle.
Our research finds that the majority of malicious sites serving this exploit are originating from China (e.g ASN number AS4134 – CHINANET-BACKBONE No.31, Jin-rong Street).
Screenshot of the malicious code in the wild:
References:
http://www.pcworld.com/article/155190/new_web_attack_exploits_unpatched_ie_flaw.html
http://www.breakingpointsystems.com/community/
http://blogs.zdnet.com/security/?p=2283
http://blog.zoller.lu/2008/12/in-wild-ie7-0day-update.html
http://www.scanw.com/blog/archives/303