IE7 0-Day Exploit Compromising Thousands of Hosts

By PatB
Contributing Writer, [GAS]

Hackers love to play cat and mouse with security firms.  A case in point is the current Internet Explorer 7 unpatched vulnerability being exploited worldwide.  On Tuesday, hackers waited until Microsoft released their monthly patches before revealing an undisclosed vulnerability in the web browser software, giving villains the maximum amount of time to compromise computers before users get patched up in 30 days.  Sans Internet Storm Center has more details here.

Unsuspecting users need only visit a website and they are automatically compromised by the server.  The exploit code takes advantage of a flaw in the XML handling parsers in IE and a trojan is downloaded without the user knowing.  Right now, this trojan is looking for passwords to certain online games, and the exploit is targeting Chinese language users.  But according to Microsoft, just about everyone with IE7 is vulnerable, including Vista users.

Our investigation so far has shown that these attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.

If you are an administrator of an enterprise and want to block the sites that are dishing out this malware, Shadowserver.Org has a list of urls here.  But don’t go being foolish and visit any of the hosts listed because they are hosting active exploit code and will pwn you if you are using IE7.  And judging by the list of servers, it seems that Baidu, the Chinese mp3 fileswapping servers, are the ones dishing out most of the badness.

So how do you protect yourself?  Use Firefox until Microsoft gets a patch out for this.  But a word of caution — make sure you are running the latest patched version of Firefox too.  Most of these websites don’t just exploit IE7 — they try about a dozen different exploits, some of which may work against older versions of Firefox.  If you are running Vista, make sure you run IE in Protected Mode.  Windows Server 2003 and Windows Server 2008 should both be protected by default because they run in enhanced mode.

Hackers now know how to use these exploits and I fully expect this to spread quickly to English language systems. Soon enough, this trojan will steal much more than just gaming passwords.  Next will come the online banking password stealers and other malware that will compromise your personal identity.  Surf Safe!