An unpatched security hole in Internet Explorer that is being exploited affects all versions of the browser, making it more serious than originally believed when it was first publicized two days ago, Microsoft says.
Microsoft is investigating reports of attacks against a new vulnerability in IE but said in an update to a security advisory issued late on Thursday that all versions of IE are potentially vulnerable.
The company recommends setting the Internet zone security setting to "high" and using access control lists to disable Ole32db.dll to provide the most effective protection against an attack.
"Our latest information is that there are still limited attacks seeking to load malicious software on vulnerable systems," Christopher Budd writes in the Microsoft Security Response Center blog.
Microsoft has seen several hundred detections of exploits from around the globe, though the sites taking advantage of the vulnerability appear to be hosted on Chinese domains, Microsoft said in a Microsoft Malware Protection Center blog.
"The exploit sites we've seen so far drop a wide variety of malware--most commonly password stealers like new variants of game password stealers like Win32/OnLineGames, and Win32/Lolyda; keyloggers like Win32/Lmir; trojan horse applications like Win32/Helpud along with some previously unseen malware which we generically detect as Win32/SystemHijack," the Malware Protection Center blog says. "We fully expect the variety of malware being dropped by this exploit to broaden as the exploit code starts to circulate around the Internet underground."
People visiting trusted sites could be affected as well from sites targeted by SQL injection attacks through which malicious code is injected into sites, Microsoft says.
A Microsoft spokesman said he could not say when a fix would come. The next Patch Tuesday is scheduled for January 13.
Microsoft's updated advisory lists a number of mitigating factors: Protected Mode in IE 7 and IE 8 in Windows Vista limits the impact of the vulnerability; IE on Windows Server 2003 and 2008 runs in a restricted mode known as Enhanced Security Configuration that sets the security level for the Internet to high; the attacker could only gain the same user rights as the local user; known attacks can not exploit the issue automatically through e-mail.