"The exploit code was discovered on a single website that is no longer hosting the malicious code," said Jerry Bryant, group manager of response communications in the Microsoft Trustworthy Computing Group.
In a blog entry, Bryant said engineers were working on an automated "fix-it" repair until a permanent patch could be released. Currently, the issue "does not meet the criteria for an out-of-band release," Bryant said.
Drive-by attacks have become an increasingly common method of attack. Users are often lured to visit a malicious website in an email message, an instant message or through poisoned search engine results. Often times legitimate websites are compromised to host attack code. Blogs, social networks and Web forums can also be used to host drive-by attacks.
The Microsoft Security Advisory outlined a number of workarounds to mitigate the threat posed by the vulnerability, which include reading email messages in plain text, applying a customer cascading style sheet as an override when reading html data, enabling data execution prevention (DEP) in IE 7 and deploying the Enhanced Mitigation Experience Toolkit. (EMET).
Microsoft said the vulnerability could be targeted by attackers using drive-by attack websites or by compromising websites that accept or host user-provided content, such as blogs and social networks. In addition, website display advertisements can be compromised to trigger an exploit that targets the flaw.
"In all cases, however, an attacker would have no way to force users to visit these websites," Microsoft said. "Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or in an instant messenger message that takes users to the attacker's website."
A successful attack could give cybercriminals complete control of a victim's machine and the ability to download additional malware or attempt to gain access to the network.
 |
0 comments:
Post a Comment