Microsoft warned all users of Internet Explorer 7 to immediately patch their browser to shun malicious code in the wild from controlling your PC. The latest exploit is a new zero day vulnerability and it specifically targets IE7, but there is a big possibility that other versions might be affected including 5, 6 and the latest IE beta 8.
Microsoft issued a security patch released today to address the vulnerability found on its browser therefore Internet Explorer users are advised to immediately download the patch via auto-update or through Microsoft Download Center. A separate patch will be made available for those running IE8 Beta 2. ®
“We are actively investigating the vulnerability that these attacks attempt to exploit,” says Microsoft. “We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”
The milicoius JavaScript code named “JS_DLOAD.MD” by Trend Micro stems from data binding bugs that allows hackers access to a computer’s memory space, allowing attackers to remotely execute malicious code as IE crashes, Microsoft has said. Once the JavaScript succeeds in its exploit, it then triggers a series of redirections to multiple URLs, then finally settling on one of several different domains. Supposedly, the toolkit associated with this evil JavaScript is rumored to being sold in the Chinese underground community. “This is quite logical, since TSPY_ONLINEG variants are notorious info-stealers — particularly stealing credentials related to online games, which in turn are very popular in China,” said Trend Micro in this blog.
First found at warez and *ahem* porn sites hosted by Chinese domains, the malicios JavaScript code has snice spread to even your trusted sites through SQL injection. The code targeted gamers’ password so far but experts say that it might steal other sensitive data soon.