Researchers at security firm FireEye have identified two new Microsoft Internet Explorer zero-day exploits.
The vulnerabilities are present in various versions of Internet Explorer 7, 8, 9 and 10, running Windows XP or Windows 7.
The first is hosted on a breached website based in the US.
The researchers say this exploit compromises anyone visiting a malicious website in a classic drive-by download attack.
The exploit uses a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve remote code execution.
The second IE zero day exploit found in the wild is being used in a strategic web compromise.
FireEye researchers found that the attackers inserted this zero-day exploit into a strategically important website.
This is a classic waterhole attack in which attackers have compromised a website known to draw visitors who are likely interested in national and international security policy.
FireEye has also found a link between this new attack and Operation DeputyDog that targets organisations in Japan.
FireEye researchers found that the malicious payload loads directly into computers’ memory, bypassing the hard disk.
FireEye has found a a link between the new attack and Operation DeputyDog
The “diskless” nature of the threat makes it more difficult for network defenders to protect against such threats.
“This technique will further complicate network defenders’ ability to triage compromised systems, using traditional forensics methods,” the researchers said.
“On the positive side, of course, rebooting the computers would mean that they were no longer infected,” said independent security consultant Graham Cluley.
“But without knowledge that their systems had been compromised, how are organisations supposed to know that sensitive data might have been stolen?,” he wrote in a blog post.
Cluley also notes that the attacks are affecting computers running Windows XP, but that from April 2014, there will be no further security updates from Microsoft for the operating system.
Any users of Windows XP who value security should update their operating system as soon as possible, he said.
The two IE zero-days come in addition to the recently reported zero-day that exploits a vulnerability in the graphics component of several key Microsoft products.
The vulnerability (CVE-2013-3906) is in the Tiff graphics format used in Microsoft Windows Vista, Windows Server 2008, Microsoft Office 2003-2010 and Microsoft Lync.
Read more about zero-day vulnerabilities and exploits
- Oracle rushes out patches for Java zero days
- Disable Java to protect from latest zero-day
- Microsoft issues quick fix for IE zero-day vulnerability
- Microsoft investigates IE zero-day flaw
- Zero-day exploit for Yahoo Mail goes on sale
- MySQL security analysis: Mitigating MySQL zero-day flaws
- Private market growing for zero-day exploits and vulnerabilities
- Adobe investigates zero-day that bypasses Reader X sandbox