An exploit of an unpatched Internet Explorer vulnerability has been added to a popular crimeware kit, a move that will likely push Microsoft to fix the flaw with an emergency update, a security researcher said November 7. Microsoft has warned users of its IE6, IE7, and IE8 browsers that hackers were already exploiting a vulnerability in the programs by tricking them into visiting malicious or compromised Web sites. Once at such sites, users were subjected to "drive-by" attacks that required no action by them to succeed.
Symantec was the first to report the IE bug to Microsoft after the antivirus vendor captured spam posing as hotel reservation notifications sent to select individuals within several organizations. On November 7, the chief research officer of AVG Technologies said an exploit for the newest IE flaw had been added to the Eleonore attack kit, one of several readily-available toolkits that criminals plant on hacked Web sites to hijack visiting machines, often using browser-based attacks.
Microsoft has promised to patch the vulnerability, but said the threat didn’t warrant an "out-of-band" update, the company’s term for a fix outside the usual monthly Patch Tuesday schedule. Microsoft will deliver three security updates November 9, but will not fix the IE bug then. Microsoft has urged IE users to enable DEP, or data execution prevention, for IE7, use IE8 or IE9, or run one of its automated "Fix-it" tools to add a custom CSS template to their browsers as protection until a patch is available.
Source: http://www.computerworld.com/s/article/9195380/Danger_to_IE_users_climbs_as_hacker_kit_adds_exploit
No comments:
Post a Comment