Users of Microsoft’s Internet Explorer 7 browser are being warned that a patch to fix a critical flaw within the software could have opened up users to critical security risks.
A critical flaw in MS09-002, is being exploited using a specially coded Word document which is emailed to users. Once opened, the attachment installs spyware onto the target system, including a Trojan that allows the malware to update itself.
The malware itself is believed to include key-logging and data harvesting functions, putting users at an increased risk of identity fraud. Data is then send through an encrypted channel to a location in China.
“Several antivirus vendors reported MS09-002 exploits in the wild. We can confirm that the exploit for the CVE-2009-0075 vulnerability (Uninitialized Memory Corruption) in Internet Explorer 7 is definitely in the wild and working on an unpatched Windows XP machine,” said Bojan Zdrnja of the Sans Internet Storm Center.
“Initially there was some confusion about this attack as most anti-virus vendors mentioned Word documents. The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document.”
It is expected however that criminals will look to exploit the flaw through more sophisticated means.
“That being said there is absolutely nothing preventing attackers from using the exploit in a drive-by attack and we can, unfortunately, expect that this will happen very soon,” added Zdrnja.
Users who are currently using both patched and un-patched versions of IE7 are advised to be vigilant over any Word document attachments that they may receive by email and to ensure that their antivirus software remains updated.