New zero-day bug targets IE users in drive-by attack
A pair of vulnerabilities in Internet Explorer are currently being exploited in the wild to install malware on computers that visit at least one malicious Web site, security researches warn.
The classic drive-by download attack targets the English versions of IE 7 and 8 in Windows XP and IE 8 on Windows 7, security firm FireEye warned in a company blog post Friday. However, the security researcher wrote that its analysis indicated that other languages and browser version could be at risk.
"The exploit targets the English version of Internet Explorer, but we believe the exploit can be easily changed to leverage other languages," FireEye researchers Xiaobo Chen and Dan Caselden wrote. "Based on our analysis, the vulnerability affects IE 7, 8, 9 and 10." The second of the two holes is an information leakage vulnerability that is used to retrieve the timestamp from the program executable's header.