September 17, 2012, 9:32 PM — Attackers are exploiting a "zero-day" vulnerability in Microsoft's Internet Explorer (IE) and hijacking Windows PCs that cruise to malicious or compromised websites, security experts said today.
Microsoft said it is investigating reports of the bug, but did not set a timetable for fixing the flaw.
The unpatched bug in IE7, IE8 and IE9 can be leveraged in Windows XP, Vista and Windows 7, according to Rapid7, the security firm that also maintains the open-source Metasploit penetration-testing toolkit.
Rapid7 urged IE users to ditch the browser and rely on a rival's application.
"Since Microsoft has not released a patch for this vulnerability yet, users are strongly advised to switch to other browsers, such as [Google's] Chrome or [Mozilla's] Firefox, until a security update becomes available," Rapid7 advised in a Monday post to its Metasploit blog.
Frequent Metasploit contributor Eric Romang stumbled upon the IE exploit when he probed one of the servers he claimed was operated by the "Nitro" hacker gang, which used a zero-day in Oracle's Java to compromise PCs last month.
The Nitro gang was first uncovered in July 2011 when Symantec said the group had targeted an unknown number of companies and infected at least 48 firms, many of them in the chemical, advanced materials and defense industries.
Symantec theorized that Nitro operated from the People's Republic of China, but Chinese government officials denied that it was party to the attacks.
The August 2012 attacks, which exploited a then-unpatched flaw in Java, prompted Oracle to ship one of its rare "out-of-band," or emergency, updates. Apple also rushed out a fix for Java 6, the version used by OS X Snow Leopard and OS Lion, to protect those users.
It's unknown whether the newest vulnerability exists in IE10, the browser bundled with Windows 8, or if the exploits that Romang lifted from the hacker's server are effective against that version.