Exploit code out within days of patch

Less than a week after the last round of Microsoft Internet Explorer patches, security experts are already warning that exploit code is in circulation.

The particular flaw, MS09-002, is being exploited using a specially crafted Word document which is emailed to users. Once opened it installs malware onto the target system, including a Trojan to allow the malware to update itself.

"Several anti-virus vendors reported MS09-002 exploits in the wild. We can confirm that the exploit for the CVE-2009-0075 vulnerability (Uninitialized Memory Corruption) in Internet Explorer 7 is definitely in the wild and working on an unpatched Windows XP machine," said Bojan Zdrnja of the Sans Internet Storm Center.

"Initially there was some confusion about this attack as most anti-virus vendors mentioned Word documents. The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document.

"That being said there is absolutely nothing preventing attackers from using the exploit in a drive-by attack and we can, unfortunately, expect that this will happen very soon."

The first malware to try and exploit the flaw looks to have been reverse-engineered rather than being in existence before the patch was announced, experts said. The malware collects information from infected computers, encrypts it and sends it to a server in China.

The short turnaround time from patch to malware will leave IT administrators racing to update corporate servers in time, and they are advised to warn users about potential threats.