Security provider Symantec has reported the discovery an active exploit in the wild of a recently disclosed vulnerability in Internet Explorer.
Last week Microsoft issued a security bulletin regarding "one publicly disclosed and twelve privately reported vulnerabilities in Internet Explorer" which affect IE6 to IE9 versions and "could allow remote code execution if a user views a specially crafted webpage using Internet Explorer" to "gain the same user rights as the current user."
Microsoft resolved the vulnerability, but Symantec is reporting that the exploit has been detected in use in attacks against websites belonging to the human rights organization Amnesty International.
Symantec's analysis of the affected Amnesty International Hong Kong website revealed an iFrame script injection.
The exploit can be used against XP, Vista and Windows 7 in a variety of languages and utilizes a previously detected Remote Access Trojan (RAT) identified as being the Trojan.Naid.
"Trojan.Naid is a Trojan horse program that listens for and accepts a connection from the attacker to essentially provide unauthorized remote control functionality to the compromised computer over a custom communications protocol. This access allows the attacker to perform numerous nefarious activities such as stealing private information or monitoring Internet activities. The Trojan.Naid sample used in this attack and others has been observed to communicate to IP addresses hosted in Hong Kong by local Internet Service Providers," Symantec states.
The Amnesty International website has been rectified, according to the report.
Symantec noted that the exploit is being viewed as a zero-day given that the attacks occurred prior to the release of a patch for the vulnerability and that this is an uncommon circumstance, leading analysts to wonder if this is an indication that there could be an escalation in zero-day exploits pending.
"While the exploit used in this attack has been referred to as being a zero-day due to reports of it being seen in the wild before the recent Security Bulletin Summary, zero-days are not commonly observed in attacks. Most attacks use known, patched exploits readily available to attackers online. Other zero-days have, however, been reported in recent days, such as Microsoft’s announcement of the Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability (CVE-2012-1889) (Symantec detection Bloodhound.Exploit.465 and IPS Web Attack MSIE MSXML CVE-2012-1889), this begs the question: will we see more zero-days being used in similar attacks?"