Security researchers have discovered new zero-day vulnerabilities in Internet Explorer that are already being harnessed by hackers to run a new type of drive-by attack.Microsoft is said to be patching the last Day Zero* bug in today's Patch Tuesday (we won't really know until it comes out). But it's concerning that we hear about this only after exploits are circulating in the wild. While all programs (including Firefox) have security bugs, Firefox tends to be much faster in getting fixes out.
FireEye, the security firm that discovered the attack method, said that the flaw is present in various versions of Internet Explorer 7, 8, 9 and 10, while running Windows XP or Windows 7.
Malware slung via the latest exploit is designed to load directly into the memory of victimised Windows PC, bypassing the hard drive. The tactic makes it harder for antivirus software or similar security tools to detect and block the attack.
However, simply rebooting compromised machines would appear to remove them from the botnet, so what this new type of attack gains in stealth, it loses in persistence. FireEye posits that "the use of this non-persistent first stage may suggest that the attackers were confident that their intended targets would simply revisit the compromised website and be[come] re-infected".
So get Firefox. Err, and reboot. You'll feel better.
* A "Day Zero" bug is a security flaw that is being exploited by malware, and for which no fix has been released. Nasty stuff.