A new IE7 exploit is now making the rounds. It has already been incorporated in toolkits that install information-stealing trojans. Read on to learn more.

A new zero-day Internet Explorer 7 exploit is now out in the wild. It’s a drive-by dropper that resides on malicious Web sites. Brian Krebs, the tireless security watchdog for the Washington Post, points out all the details in his blog “Microsoft Investigating Reports of New IE7 Exploit.”

iDefense, a Virginia-based security firm, made mention that the exploit may have been accidentally released by a Chinese IT security group that mistakenly thought Microsoft already patched the vulnerability. The following quote is from their Dec. 10, 2008, blog “Exploitation for Unpatched Internet Explorer 7 Vulnerability in the Wild” (pdf):

“On Dec. 9, 2008, security researchers found a previously unknown vulnerability in Microsoft Corp.’s Internet Explorer 7.0 being exploited in the wild. This exploit has already been incorporated into Chinese exploit toolkits and is actively being used to install information stealing Trojans that target online games.”

Acknowledged by MS

Microsoft has finally acknowledged the problem in Security Advisory (961051):

“Microsoft is investigating new public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.”

It’s important to know that the massive Windows update just released on Dec. 9, 2008, doesn’t have a patch for this vulnerability.

Domains hosting malicious Web sites

Shadowserver.org, a volunteer security group, has listed many of the domains that are hosting the exploit-carrying Web sites. The list is published on their blog “IE7 0-Day Exploit Sites.” They also mention some detection and prevention information as well places to get Snort rules for the current unmodified variants.

Final thoughts

This exploit is important, and sadly there’s no Microsoft solution at this time. Once again the simplest solution is to use an alternative browser such as FireFox, Chrome, or Opera. I doubt Microsoft would make that suggestion though.