Time is money and hackers are very aware of that; so, three days after Microsoft patched 11 bugs in Internet Explorer (IE), hackers were exploiting one of the vulnerabilities.
Microsoft fixed the flaw last Tuesday in an 11-patch update for IE. That update was part of a larger Patch Tuesday roll-out that knocked out 34 bugs in 16 separate security bulletins.
Most security experts had put the IE update at the top of their priority lists, and urged Windows users to deploy it as soon as possible.
Symantec reported that that one IE bug, CVE 2011-1255, is already suffering distress.
“So far, we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present,” said Joji Hamada, a senior researcher with Symantec’s security response team.
Hamada said Symantec found an exploit on an apparently-compromised site that automatically downloads an encrypted malicious file to the PC of any user browsing with an unpatched copy of IE8.
The malware shows some bot traits, Hamada added. Once planted on a machine, it contacts a remote server and listens for commands from its bosses.
Although the CVE 2011-1255 vulnerability affects IE6 and IE7 as well as IE8, Symantec has only seen working exploits that target the latter.
IE9, the browser that Microsoft launched in mid-March, does not have the vulnerabilities of the later versions. But it did undergo other patches to address four different bugs.
In the accompanying advisory, Microsoft labeled the flaw as “critical,” its most-serious threat level, for IE7 and IE8 on all Windows machines, and for IE6 running on Windows XP. For IE6 on Windows Server 2003 Microsoft rated the bug as “moderate.”
Microsoft also assigned a “1” to the vulnerability in its exploitability index, meaning the company expected a reliable exploit to appear within 30 days. The attackers beat that by a significant margin, putting their exploit into play within three days.