The security community is already seeing examples of drive-by downloads taking advantage of a newly-announced vulnerability in Internet Explorer. The vulnerability is explained here and the exploit is described (in Chinese) here.

The big news in the malware world this week was the spread of a new zero day exploit for Internet Explorer. Microsoft responded fairly quickly, releasing an emergency patch yesterday, but meanwhile, the bad guys were working quickly to hack websites so they could deliver password-stealing malware onto users’ vulnerable machines via drive-by download.

To me, this highlights a trend that the security community has been seeing more lately: very rapid distribution of exploits for applications that haven’t been patched or that have just recently been patched. This is all enabled through the ability of malicious actors to quickly deploy the exploit code through the use of botnets, spam, and vulnerable websites.

In turn, this trend points out the insufficiency of "being careful" as a defense against malware. Keeping your PC up to date and avoiding suspicious websites are important safety steps, but neither will protect a user from a legitimate website hosting a zero day drive-by exploit.

Security experts always talk about layers of security, and this is a great example of the importance of that. When you combine the defenses above with "just in time" warning messages about known badware websites, proactive AV scanning, and improved security architecture in the desktop OS and applications, a user has a reasonable chance of being protected from even new, fast-moving threats. Perhaps there’s still more that can be done. Public user warning systems, distributed intelligence gathering, and other new approaches to helping users avoid malware are on the horizon, and StopBadware looks forward to working with its partners and the rest of the community in our collective effort to fight back.

Symantec describes a vulnerability in Internet Explorer that allows a website with malicious content to install a Microsoft-signed ActiveX control and then exploit a known vulnerability in that control:

Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim’s computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.

It does not appear that there is a known fix for this right now, so it’s just one more reason to keep your security software up to date if you’re using Internet Explorer.

A researcher from security firm Kaspersky reportedly claims that he told Microsoft of a vulnerability in Internet Explorer “a long time ago,” but Microsoft didn’t consider it a security issue. Now, he claims he has found an example of an exploit in the wild that takes advantage of the vulnerability.

The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

…

Fast forward to the latest site compromise — on a high traffic Web site — where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site. (The malicious site is currently offline but there’s evidence that it’s tied to ID-theft attacks)….

If the researcher’s findings are true (we haven’t confirmed them), then Microsoft should be embarrassed for missing an opportunity to protect its users and should immediately reconsider its position and treat this as the security issue that it is.

Ryan Naraine over at the Zero Day Blog reports that a new vulnerability has been found in Internet Explorer 6 running on Windows XP with service pack 2 or 3:

An unpatched cross-domain vulnerability in Microsoft’s flagship Internet Explorer browser could expose Windows users to cookie hijacks and credentials theft attacks, according to a warning from security researchers.

At the moment, there is no patch:

In the absence of a patch, IE users are strongly encouraged to upgrade to IE 7. Or, as always, consider using an alternative browser.