Microsoft confirms attacks against IE6, IE7

From InfoWorld: For the second time in six weeks, Microsoft today confirmed that hackers are exploiting an unpatched bug in DirectX, this time by attacking Internet Explorer (IE).

The company's security team issued an advisory Monday acknowledging reports of in-the-wild attacks and providing more information about who is vulnerable.

Earlier Monday, security researchers at a pair of Danish firms had announced that thousands of legitimate Web sites hacked over the weekend were conducting drive-by attacks on IE users with an exploit of a critical unpatched vulnerability in Windows' DirectShow, part of DirectX.

"A browse-and-get-owned attack vector exists," Chengyun Chu, of the Microsoft Security Response Center's engineering team, said in a blog post this afternoon. "A user needs to be lured to navigate to a malicious Web site or a compromised legitimate Web site to be affected ... [but] no further user interaction is needed."

Users running IE6 or IE7 on Windows XP and Windows Server 2003 are vulnerable to the drive-bys attacks, Microsoft said. Vista and Server 2008 are not at risk, however, nor are people running IE8, Microsoft's newest browser.

View: Article @ Source Site