Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Jump On Newest IE7 Bug

Posted by CmdrTaco on from the hop-on-pop dept.

CWmike writes "Attackers are already exploiting a bug in Internet Explorer 7 that Microsoft patched just last week, security researchers warned today. Although the attacks are currently in 'very, very small numbers,' they may be just the forerunner of a larger campaign, said Trend Micro's Jamz Yaneza. 'I see this as a proof-of-concept,' said Yaneza, who noted that the exploit's payload is extremely straightforward and explained that there has been no attempt to mask it by, say, planting a root kit on the victimized PC at the same time. 'I wouldn't be surprised to see this [exploit] show up in one of those Chinese exploit kits,' he added. The new attack code, which Trend Micro dubbed 'XML_Dloadr.a,' arrives in a spam message as a malicious file masquerading as a Microsoft Word document."

6 of 162 comments (clear)

  1. Re:Hopefully attacks like this won't be as prevole by Anonymous Coward · · Score: 5, Insightful

    The new attack code, which Trend Micro dubbed "XML_Dloadr.a," arrives in a spam message as a malicious file masquerading as a Microsoft Word document. If the fake document is opened, the exploit hijacks PCs that have not been patched...

    Running Chrome or Firefox won't stop idiots from opening strange attachments.

  2. Re:Whew! by Anders · · Score: 5, Funny

    Glad I'm using Lotus Notes.

    That's a first!

  3. Re:Hopefully attacks like this won't be as prevole by rolfc · · Score: 5, Funny

    Running Chrome or Firefox won't stop idiots from opening strange attachments.

    Running Linux will.

  4. Masquerading? by TheRaven64 · · Score: 5, Funny

    a malicious file masquerading as a Microsoft Word document

    I don't think this is the same definition that the rest of us use. In related news, a lizard was seen masquerading as a gecko.

    --
    I am TheRaven on Soylent News
  5. Re:Hopefully attacks like this won't be as prevole by dedazo · · Score: 5, Interesting

    It's not that difficult. I can turn your shiny Linux box into a bot zombie by sending you a Perl script in a tarfile with the execute bit set and asking you to extract and run it. I don't even need root access. More sophisticated? Fine, how about I do the same thing but use, say, Python and a simple wxWidgets UI to ask for your root password? You know, because I need it to "update your system". Chances are good you have all that installed on your system if you use the average distro.

    Don't underestimate the power of simple social engineering or the tendency of users to do dumb things. And don't overestimate the alleged technological superiority of your OS. I don't need to code an ELF binary in x86 assembler to do damage, and no one writes destructive viruses anymore. Neither you nor your data are the target. The commodity being sought here is your machine and its network connection.

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  6. Re:minor pedantry by JasterBobaMereel · · Score: 5, Funny

    ...and the plural of mongoose is polygoose ....

    --
    Puteulanus fenestra mortis