Attackers are using a security hole in Microsoft’s Internet Explorer web browser to infect computers with malware.
The vulnerability, which was apparently unknown and unpatched until now, hinges on how IE handles arrays in HTML files.
So far, attackers have targeted IE versions 7 and 8 on fully patched Windows XP SP3 systems; it is not yet certain whether the exploit works with other software combinations.
Security researcher Eric Romang discovered the code on a server used for targeted attacks by the Chinese hacker group known as the Nitro gang. The first exploit for the critical Java vulnerability Oracle fixed with an emergency patch late last month was also on a server linked to the Nitro gang.
In the current attack, a specially prepared web page executes a Flash applet that uses heap spraying to distribute shellcode in the system memory. It then reloads an iframe that uses the IE vulnerability to run the shellcode.
The remote administration tool (RAT) Poison Ivy currently distributes this way in order to give attackers complete access to the infected system, according to security firm Alien Vault.
Users running Internet Explorer can play it safe by switching to another web browser until it can confirm which combinations of browser and operating system suffer from the issue. Anyone can use the published details to put together an exploit, and a module for the Metasploit exploit framework is already underway.