10 Nov 2010

Malware attacks Internet Explorer exploit

According to an antivirus company, a new Internet Explorer zero-day exploit has emerged. The exploit has been added to the Eleonore attack kit, which has targeted several web browsers and Windows programs in the last five years.

Roger Thompson, the company’s chief research officer, recently wrote on his blog “we've begun detecting it in the Eleonore Exploit Kit. This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day.”

According to ZDNet, the weakness allows attackers to execute code without the user’s knowledge. Attackers place the code in malicious websites. When a user accesses the website, the attacker can execute a drive-by attack, in which they execute the code on the victim’s machine.

Microsoft acknowledged the presence of the exploit in early November. "It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted,” the company said.

Zero-day exploits can be a serious threat to web browsers. Another recent zero-day exploit targeted Firefox users through an infection on the Nobel Peace Prize website.