Attackers target unpatched IE bug

A first exploit has appeared for an 'extremely critical' vulnerability in Internet Explorer

Researchers have spotted a first exploit for an 'extremely critical' vulnerability in Microsoft's Internet Explorer.

Visitors to an infected website will automatically be hit with a new variant of the Spybot worm. 

The malware opens a backdoor on the system and attempts to lower the security settings, effectively turning infected systems into zombie computers.

Security firm Secunia notified Microsoft about the threat on 13 February and issued an advisory. 

Of the major antivirus vendors, McAfee said that had updated its signature files to detect and remove the new Spybot variant. Symantec had not listed the worm at press time. 

Trend Micro told vnunet.com that it is working on an update and will release a signature later on Friday afternoon (Pacific Time). 

Monty Ijzerman, manager of security at McAfee, told vnunet.com that he expects Microsoft to release a patch soon. "Microsoft has had some time to research this issue," he said.

The vulnerability is caused by an error in the way that the browser processes the 'createTextRange' method call on a radio button. Users can prevent infection by disabling Active Scripting in their browser settings (instructions can be found here). 

Microsoft confirmed the bug on Wednesday in a blog posting and issued a security advisory on Thursday. At the time of the publication of the advisory, Microsoft stated that it was not aware of attacks using the vulnerability. 

The detection of the worm caused the SANS Internet Storm Center to raise its Infocon threat level to yellow, representing the second step on a four-step scale. 

This indicates that researchers are tracking a significant new threat but that its impact is unknown. Users are advised to take immediate action.

The way that the flaw can be exploited is similar to the Windows .wmf vulnerability that emerged in January. Attackers posted infected images on websites that allowed the execution of arbitrary code on Windows systems.

Ijzerman believes that the 'createTextRange' vulnerability will be harder to exploit. "The .wmf vulnerability was a feature in the Windows code that worked on any version of the Windows operating system," he said.

"With the 'createTextRange' all versions are vulnerable, but exploits will not work on all versions of the operating system."

Although exploitation requires advanced programming skills, Ijzerman expects that knowledgeable worm authors will be able to create a universal exploit that first determines the operating system's version and then deploys a specific exploit.