Microsoft released a patch for eight vulnerabilities in Internet Explorer on Thursday, fixing at least one previously undisclosed flaw in the company's Web browser currently being exploited by cybercriminals.
The security update, the second one for Microsoft so far this year, fixes six memory corruption vulnerabilities, another issue in handling URL validation and a flaw that would allow an attacker to bypass the cross-site scripting filter. Among the fixes is a patch for a flaw used by attackers operating from Chinese server who infiltrated networks at Google, Adobe and other companies. While security firms have reported several more general attacks appearing on the Internet, Microsoft continued to describe the threats as "limited."
"Microsoft continues to see limited and targeted attacks against Internet Explorer 6 only," the company said in a statement announcing the fix. "However, Microsoft recommends customers deploy this security update as soon as possible to protect themselves against the known attacks."
Over the weekend, more general attacks using the vulnerability were detected by security firm Websense, which found a single page hosting the attack. A day later, the firm discovered two more pages hosting similar attacks, according to its Security Labs blog.
We "identified two more malicious URLs that are used in live attacks," the company stated. "According to reports from our friends at Ahnlab, the second URL was spread through the Instant Messenger network Misslee Messenger, a popular IM client in South Korea."
Attacks have also reportedly focused on Chinese users, which account for much of the population of Internet Explorer 6 users.
The out-of-band update, called such as it falls outside of Microsoft's regularly scheduled Patch Tuesday, follows last week's announcement that Google and other major technology companies came under attack from servers based in China. While initial reports focused on a recently patched flaw in Adobe Acrobat and Reader as being the vector for the attacks, analysis of some of the malicious files confirmed that a zero-day flaw in Internet Explorer was used.
Security experts have recommended that users upgrade to the the latest version of Internet Explorer that has additional protection to make exploitation more difficult, especially on Windows Vista and Windows 7. More drastically, technical branches of the French and German government have recommended that users move to a non-Microsoft browser.
UPDATE: This article was updated at noon PT to include information on the just-released advisory.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos