Internet Explorer zero-day exploit discovered on hacker servers

A security scare for Microsoft users hit late yesterday, after vulnerability management company Rapid7's Metasploit penetration tool project discovered an Internet Explorer exploit that is said to affect all browsers earlier than IE9, and which has never been patched by Microsoft.

Rapid7 discovered the bug when contributor Eric Romang was infiltrating a server he suggests was being operated by the Nitro group, which was said to have been responsible for August's zero-day Java exploits.

While Microsoft has now released a patch, hackers are reported to have exploited the security hole overnight, using malicious websites to hijack Windows PCs running older versions of the browser.

Before Microsoft released the patch earlier today, Rapid7 advised users to "switch to other browsers, such as Chrome or Firefox, until a security update becomes available".

Rapid 7 advised that the exploit had already been used by hackers in the wild before being publishing on Metapsloit. "The associated vulnerability puts about 41 per cent of internet users in North America and 32 per cent world-wide at risk," said the blog.

The attack follows last week's discovery of a pre-release version of Windows 8 containing a Flash vulnerability that Microsoft has refused to patch until general availability is confirmed on 26 October.

Meanwhile, in the same week, Microsoft also discovered that an unsecure supply chain to China has be exposing new machines purchased in that country to a malware botnet named Nitol.

The company is currently working on clearing up the distribution, which is said to involve a collection of machines with pirated Microsoft operating systems. Meanwhile, a US court has allowed Microsoft to take over authority of top level domain 3322.org in order to control Nitrol's spread.