Zero-Day Microsoft Vulnerabilities Being Exploited

Two zero-day vulnerabilities in Microsoft software are being actively exploited.

Even as it issued its December series of security bulletins on Tuesday, Microsoft warned in a separate security advisory that it was investigating reports of a vulnerability in the WordPad Text Converter for Word 97 files on systems using Windows 2000 SP4, Windows XP SP2, or Windows Server 2003 SP1 or SP2.

"At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability," Microsoft said, characterizing the risk as limited.

But on Wednesday, a new problem arose. Proof-of-concept exploit code for a different vulnerability, an XML parsing bug in Internet Explorer, was posted on Milw0rm.com.

The advisory Microsoft issued about this attack on Wednesday sounds much like the one it issued on Tuesday. "At this time, we are aware only of limited attacks that attempt to use this vulnerability," Microsoft said. It warned of attacks against Windows Internet Explorer 7 on Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Windows Vista and SP1, and Windows Server 2008.

This isn't the first time vulnerabilities have appeared just after Microsoft's regularly scheduled patch day. It's a trend that appears to represent an effort to take advantage of the rigidity of Microsoft's patch process and to maximize the useful lifespan of exploits.

Trend Micro reports that several Web sites have been found with malicious JavaScript code that attempts to exploit the IE vulnerability. "This script exploits this zero-day vulnerability in Internet Explorer, through a Heap Spray on SDHTML," the company said on its Web site. "It also checks for the IE version installed on the affected system, since this exploit targets IE7."

Trend Micro says that the toolkit related to this exploit is being sold in the Chinese underground community and that files associated with this attack have been designed to steal information such as online gaming credentials.

According to Virustotal, a file analysis service, only 20 out of 38 listed antivirus applications detected the information-stealing malware.

Trend Micro also says that victims of this attack could become infected with a rootkit.