Microsoft confirmed on Tuesday a new flaw affecting version 6 and 7 of its Internet Explorer web browser that could allow remote code execution. The security advisory noted that targeted attacks using the flaw were already in the wild.

This information was confirmed by McAfee, reporting that exploitation of the flaw was originating from the domain topix21century dot com over both HTTP and HTTPS. The drive-by attacks install a backdoor which connects to a command-and-control server.

Analysis by Symantec reveals that the exploit works effectively on IE6. IE7 tended to crash instead, and IE8 is, as stated in the Microsoft advisory, immune. The attack loads some malicious code, and then makes repeated changes to the HTML document eventually provoking execution of the malicious code.

The best solution is to upgrade to IE8, as one of the many improvements found in this browser also seals off the security hole. Failing that, enabling Data Execution Prevention in IE7 should provide some level of mitigation, as the current exploits do not circumvent DEP (though they could probably be combined with DEP bypass techniques). Removing access to the file iepeers.dll using either of the mechanisms described in Microsoft’s advisory prevents Internet Explorer from loading the flawed code, but may also break print and web folder functionality. Finally, disabling of scripting and ActiveX in the Internet and Local Intranet security zones should also provide protection against exploitation.

Microsoft has still made no indication whether this flaw will receive an out-of-band update, but with exploits in the wild and documented analysis of the exploit, clearly this flaw is something that needs fixing, and soon.

Read the comments on this post