ID: IRCNE2011061145
Date: 2011-06-18
“Computerworld” reports that just three days after Microsoft patched 11 bugs in Internet Explorer (IE), hackers are exploiting one of those vulnerabilities, a security company said Friday.
Microsoft fixed the flaw Tuesday in an 11-patch update for IE. That update was part of a larger Patch Tuesday roll-out that quashed 34 bugs in 16 separate security bulletins. Most security experts had put the IE update at the top of their priority lists, and urged Windows users to deploy it as soon as possible.
Symantec reported that CVE 2011-1255 -- its assigned ID in the Common Vulnerabilities and Exposures database -- is already being abused. "So far, we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present," said Joji Hamada, a senior researcher with Symantec's security response team.
Hamada said that Symantec had found an exploit on an apparently-compromised site that automatically downloads an encrypted malicious file to the PC of any user browsing with an unpatched copy of IE8.
The malware shows some bot traits, Hamada added. Once planted on a machine, it contacts a remote server and listens for commands from its hacker overlords.
Although the CVE 2011-1255 vulnerability affects IE6 and IE7 as well as IE8, Symantec has only seen working exploits that target the latter.
IE9, the browser that Microsoft launched in mid-March, is not affected by the vulnerability.
In the accompanying advisory, Microsoft pegged the flaw as "critical," its most-serious threat level, for IE7 and IE8 on all Windows machines.
Related Links:
Microsoft plugs 34 holes; Adobe fixes Flash Player bug
- 2