April 02, 2010, 9:20 AM — Microsoft said that it patched the critical vulnerability in Internet Explorer (IE) earlier this week because the number of attacks jumped after news broke that the exploit had gone public.
Microsoft's explanation fit the expectations of several security researchers, who earlier this month predicted that the company would release an "out-of-band" update if attacks climbed, saying that that was the determining factor in Microsoft's decision-making process.
Holly Stewart, a senior program manager with the Microsoft Malware Protection Center (MMPC), acknowledged that attacks exploiting the "iepeers.dll" escalated March 12, two days after Israeli researcher Moshe Ben Abu used a clue in a McAfee blog to build a working attack for the popular Metasploit open-source penetration testing kit.
Three days before that, Microsoft had issued a security advisory warning users the vulnerability was already being used by hackers in drive-by attacks from malicious sites. At the time, Microsoft said that while both IE6 and IE7 could be exploited, the latter's pseudo sandbox would protect users.
Prominent researcher HD Moore, the creator of Metasploit and chief security officer at security company Rapid7, said on Tuesday that another likely factor in Microsoft's decision to accelerate the patch was that others had figured out how to modify Abu's exploit so that it was successful against IE7 as well as IE6.
Microsoft patched the iepeers.dll memory corruption vulnerability, and nine others, in the MS10-018 update it issued Tuesday , two weeks ahead of its standard schedule.
Stewart also said that Microsoft's analysis indicated that 80% of the attacks using the iepeers.dll exploit were aimed at Chinese computers. Whether coincidence or not, the vulnerability was originally reported to Microsoft by Beijing-based ADLab, an arm of security firm VenusTech. ADLab alerted Microsoft of the bug in mid-November 2009.
Machines in neighboring South Korea accounted for 11% of the attacks, but only 5% targeted U.S. PCs, said Stewart in an entry to the MMPC blog on Tuesday.