Internet Explorer Vulnerability Exposes Windows PCs

Hackers have used a new zero-day vulnerability — a hole previously unknown to security researchers — in versions 7 and 8 of Microsoft's Internet Explorer browser to spread malware on computers running Windows XP Service Pack 3 and below. Further investigation by the developers of penetration testing tool Metasploit has demonstrated that the hole can also be exploited on computers running Internet Explorer 9 on Windows 7 or Windows Vista.

First pointed out by French researcher Eric Romang yesterday, the attack uses a specially-crafted Flash animation to drop a malware kit known as Poison Ivy on the target machine — as Ars Technica notes, it appears to be the work of the same gang responsible for exploiting a zero-day vulnerability in Java last month. Microsoft has issued an official advisory note acknowledging the problem and advising users to download its existing Enhanced Mitigation Experience Toolkit (EMET) to reduce the risk, but has not released a dedicated patch.