Microsoft Warns Of Zero-Day IE Attacks

The advisories came after Microsoft released a monster patch load repairing 28 critical and important vulnerabilities on its regularly scheduled "Patch Tuesday," which falls on the second Tuesday of every month.

The attacks against Windows IE affect version 7 on various versions of Windows XP, Windows Server 2003, Vista and Windows Server 2008.

Researchers say that if the XML vulnerability in IE was successfully exploited, an attacker could potentially take over a victim's PC by enticing them to view a malicious Web site by clicking on a malicious link contained in either an e-mail or Instant Messenger, which is typically done through a social engineering scheme.

An attacker could also take advantage of compromised Web sites, or infuse malicious code on "legitimate" Web sites that accept user-provided content or ads in order to exploit the vulnerability.

Once malicious code was executed, the attacker could completely take over a victim's computer to steal personal data and record keystrokes, usually for monetary gain.

Microsoft said that it is currently working to address both problems, either with an out-of-band patch or one that is included in its regular patch cycle, although no fixes have been created yet for either flaw.

However, researchers say that unless Microsoft issues an out-of-band patch, users will likely have to wait another month before a patch is made available due to the fact that the flaws were discovered shortly following the release of a major security bulletin.

"Attackers are most likely timing attacks in such a manner to give them at least a one-month window before the issue gets patched," said Ben Greenbaum, senior research manager for Symantec Security Response.

Microsoft said in its advisory that, so far, the attacks have been limited to a small number of victims.

"Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory," Microsoft said.

Meanwhile, security experts say that massive, widespread attacks taking advantage of these security holes are not likely.

"The exploits that are currently circulating aren't that reliable. They don't even work 50 percent of the time," Greenbaum said. "Currently, it's not an issue to panic over."

Microsoft is also currently working on repairing another vulnerability in WordPad Text Converter, a default component of Windows operating systems, on Word 97 files. The bug affects numerous versions of Windows, including 2000, XP, Server 2000, Vista and Server 2008.

The vulnerability can be exploited when users use WordPad to open a maliciously crafted file, which corrupts the system memory and subsequently opens up the door for remote hackers to launch an attack on a victim's computer. Microsoft warned users in its advisory not to use WordPad to open files with .doc, .wri, or .rtf extensions received from untrusted sources.

Like the IE vulnerability, Microsoft downplayed the scope of the attacks, saying that they have, so far, been found to be relegated to a limited number of victims.

Greenbaum said that there is a greater chance of an attack exploiting the WordPad vulnerability than the IE flaw, "but the means of distribution of that exploit are even more limited," he said.

"We've only seen it so far in targeted attacks," he said. "That could change. But currently we're not seeing a lot of this happening."

While there are no fixes that repair the errors, Microsoft advised users in its security advisory to apply suggested workarounds, listed on the company's Web site, until the company releases the appropriate patches.