Microsoft Internet Explorer and Adobe Flash link to new cyber attacks

Security company FireEye claims attackers are using unknown flaws in IE10 and IE9 to attack web users

A previously unknown flaw in Microsoft's Internet Explorer web browser has been implicated in a spate of new cyber attacks, according to web security company FireEye.

It believes that hundreds of thousands of PCs may have been infected after the website of the US Veterans of Foreign Wars (www.vfw.org) was compromised. This compromise opened up a web page in the background when users visited, which silently redirected them to a site bearing malware.

FireEye researcher Darien Kindlund told Reuters that the attackers bore all the hallmarks of groups operating from mainland China - implying a Chinese government connection - and added that a possible goal of the attackers was to plant backdoors onto the PCs of the website's members, who are veteran military personnel.

"After compromising the VFW website, the attackers added an iframe into the beginning of the website's HTML code that loads the attacker's page in the background. The attacker's HTML/JavaScript page runs a Flash object, which orchestrates the remainder of the exploit.

"The exploit includes calling back to the IE 10 vulnerability trigger, which is embedded in the JavaScript. Specifically, visitors to the VFW website were silently redirected through an iframe to the exploit at www.\[REDACTED].com/Data/img/img.html," the company explained in an advisory.

It advises: "The exploit targets IE10 with Adobe Flash. It aborts exploitation if the user is browsing with a different version of IE or has installed Microsoft's Experience Mitigation Toolkit (EMET). So installing EMET or updating to IE11 prevents this exploit from functioning."

Other reports suggest it was a group with a track record for targeting high-profile organisations, including US government entities, defence contractors, high-profile law firms, Japanese companies and non-governmental organisations. They typically seek to implant remote access Trojans onto their victims' PCs.

A spokesman for Microsoft told Reuters that the company was aware of the attacks and IE10's possible role. IE11 is unaffected by the flaws.