An exploit of an unpatched Internet Explorer vulnerability has been added to a popular crimeware kit, a move that will probably push Microsoft to fix the flaw with an emergency update, according to a security researcher.
Meanwhile, a prominent vulnerability expert has sided with Microsoft, which has said the bug will be difficult to exploit in Internet Explorer 8 (IE8), the most popular version of the company's browser.
Last week, Microsoft warned users of its IE6, IE7 and IE8 browsers that hackers were already exploiting a vulnerability in the programs by tricking them into visiting malicious or compromised websites. Once at such a site, users were subjected to a "drive-by" attack that required no action on their part to succeed.
Symantec was the first to report the IE bug to Microsoft after the antivirus vendor captured spam posing as hotel reservation notifications sent to select individuals within several organisations.
Roger Thompson, chief research officer of AVG Technologies, says that an exploit for the newest IE flaw had been added to the Eleonore attack kit, one of several readily-available toolkits that criminals plant on hacked websites to hijack visiting machines, often using browser-based attacks.
"This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day," said Thompson in on his company's blog.
Microsoft has promised to patch the vulnerability, but last week said that the threat didn't warrant an "out-of-band" update, the company's term for a fix outside the usual monthly Patch Tuesday schedule. Microsoft will deliver three security updates today (9 November), but won't fix the IE bug then.
Thompson disagreed with Microsoft's assessment.
"I think they'll have to [do an out-of-band update]," Thompson said when asked to bet whether Microsoft will release an IE fix before 14 December, the next regularly-scheduled patch date. "I expect attacks will accelerate."
However, AVG - like Microsoft and Symantec - has so far seen only a small number of attacks leveraging the vulnerability.
The exploit added to Eleonore may have been cadged from the Metasploit open-source penetration testing kit. Last Thursday, researcher Joshua Drake added an exploit module for the IE bug to Metasploit.
"We do see a lot of exploits essentially cut and pasted from Metasploit [proof-of-concepts]," said Thompson.
Microsoft has urged IE users to enable DEP, or data execution prevention, for IE7, use IE8 or IE9, or run one of its automated "Fix-it" tools to add a custom CSS template to their browsers as protection until a patch is available.
The vulnerability is in IE's browser engine's parsing of HTML pages, and can be exploited with a specially-crafted CSS (cascading style sheet) tag.
Microsoft's security experts said that it was unlikely attackers could successfully exploit the flaw in IE8 because that browser automatically enables DEP, a defensive measure built into Windows that's designed to make it impossible, or at least difficult, for hackers to reliably exploit bugs.
HD Moore, the chief security officer at Rapid7 and Metasploit's creator, echoed Microsoft.
"Due to the limited control of the memory overwrite, exploiting this flaw is likely to be difficult on all versions of IE, but the presence on DEP will make it even more challenging with IE8," said Moore.
Microsoft also suggested that users consider migrating to IE9, the still-under-construction browser that was released as a public beta in mid-September.
But that route cannot be taken by users of IE6, the most vulnerable version and the one apparently targeted by current attacks, because those people are almost certainly running the browser in Windows XP. IE9 does not run in XP.
Rival browsers, such as Mozilla's Firefox, Google's Chrome, Apple's Safari and Opera Software's Opera, are not vulnerable to the malformed CSS tag attack.
According to the latest statistics from web analytics company Net Applications, IE8 accounted for more than half of all copies of Internet Explorer used last month, while IE6 represented about a quarter of all Microsoft browsers run in the same period.