Attackers are exploiting a "zero-day" vulnerability in Microsoft's Internet Explorer (IE) and hijacking Windows PCs that cruise to malicious or compromised websites, security experts said Monday.
Microsoft confirmed the IE bug, saying, "We're aware of targeted attacks potentially affecting some versions of Internet Explorer," but did not set a timetable for fixing the flaw.
The unpatched bug in IE7, IE8 and IE9 can be leveraged in Windows XP, Vista and Windows 7, according to Rapid7, the security firm that also maintains the open-source Metasploit penetration-testing toolkit.
Rapid7 urged IE users to ditch the browser and rely on a rival's application.
"Since Microsoft has not released a patch for this vulnerability yet, users are strongly advised to switch to other browsers, such as [Google's] Chrome or [Mozilla's] Firefox, until a security update becomes available," Rapid7 advised in a Monday post to its Metasploit blog.
Frequent Metasploit contributor Eric Romang stumbled upon the IE exploit when he probed one of the servers he claimed was operated by the "Nitro" hacker gang, which used a zero-day in Oracle's Java to compromise PCs last month.
The Nitro gang was first uncovered in July 2011 when Symantec said the group had targeted an unknown number of companies and infected at least 48 firms, many of them in the chemical, advanced materials and defense industries.
Symantec theorized that Nitro operated from the People's Republic of China, but Chinese government officials denied that it was party to the attacks.
The August 2012 attacks, which exploited a then-unpatched flaw in Java, prompted Oracle to ship one of its rare "out-of-band," or emergency, updates. Apple also rushed out a fix for Java 6, the version used by OS X Snow Leopard and OS Lion, to protect those users.
Microsoft said that IE10, the version bundled with Windows 8 -- and which is to be offered to Windows 7 users at some point -- is not affected.
HD Moore, chief security officer at Rapid7 and creator of Metasploit, said he and his team had not yet tested IE10 on Windows 8. That testing is next on his to-do list. "But I would guess 'Yes,' that it can be exploited," Moore said in an interview today.
Moore was hesitant to pin responsibility on the Nitro gang, as Romang had, saying there are other possibilities. "Multiple groups may be sharing these zero-days, with one passing it along to others when it's done using it," he said.
It's also possible that the web server hosting the IE exploit code was simply a dumping ground, added Moore, who noted that researchers monitoring the rogue system have found malware on it since June.
"Maybe [the IE exploit] was put on that server because [attackers] were done with it," speculated Moore. "One way to hide your tracks is to make sure an exploit is widely distributed once you've done what you wanted with it."
IE7, IE8 and IE9 users who browse to websites infected with the exploit will automatically be hijacked, Moore confirmed. That kind of attack, where the user does nothing but surf to a malicious URL, is usually dubbed a "drive-by."
Rapid7 has not been able to trace the timeline of the vulnerability, including when it was discovered and how long it has been exploited.
According to a statement from Yunsun Wee, director of Microsoft's Trustworthy Computing group, the company will "take the necessary steps to help protect customers" after it concludes its probe.
The next Patch Tuesday is scheduled for Oct. 9, more than three weeks from today. But Microsoft has the option of providing a patch before then.
"I think a lot will depend on what they have to say in their alert when it's issued," said Andrew Storms, director of security operations at nCircle Security, of a possible emergency fix. "Right now, it sure looks like a bad bug on the loose, but nobody is saying to what degree IE's configuration settings can provide mitigation factors."
If Microsoft follows past zero-day reaction practice, it will issue a security advisory today or tomorrow with more information.
Microsoft has been reluctant to go out-of-band, however; the last time it issued an emergency patch was in December 2011. That update was the sole out-of-band patch in the last two years.
A Metasploit exploit module has been published for testing purposes, Moore confirmed. "It took [researchers] only four or five hours to come up with it," he said.
Moore stuck by Rapid7's recommendation to stop using Internet Explorer. "IE has taken major steps to improve security, but it's still the weakest link," Moore said. He also noted that avoiding the browser might not be enough, as many applications rely on the IE engine to render HTML.
What surprised him, however, was the fact that the same Web server has hosted multiple zero days. "It's exposed one zero-day [vulnerability], then another," he said.
Customers can use the Enhanced Mitigation Experience Toolkit (EMET) 3.0 to harden IE enough to ward off the current attacks, said Wee, of the company's Trustworthy Computing Group, in an email late on Monday. EMET 3.0 can be downloaded from Microsoft's websites.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.