Attention all Windows users: patch your systems now

Online attackers are actively exploiting a vulnerability in Internet Explorer that allows them to execute malicious code on computers that visit booby-trapped websites, researchers said in an advisory that underscores the importance of installing a Microsoft patch as soon as possible.

The exploit of a critical IE bug, reported by researchers from antivirus provider McAfee, means there are two newly disclosed vulnerabilities in Microsoft products under attack. On Tuesday, Microsoft warned of a separate vulnerability in all supported versions of Windows that was also actively being exploited.

The most immediate significance of the McAfee report is this: If you run Windows and haven’t installed Tuesday’s batch of security fixes, you should stop whatever else you’re doing and run them now.

“The exploit works across all major Windows platforms, including Windows Vista and Windows 7,” McAfee researcher Yichong Lin wrote in an advisory. “It leverages return-oriented programming (ROP) exploitation technology to bypass… data execution [prevention] (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections.” The attacks work against default installations of Windows XP. For them to work against more recent versions of the Microsoft OS, a targeted system must be running an older version of Oracle’s Java virtual machine.

In a frequently asked question section of Tuesday’s Microsoft Security Bulletin MS12-037, company officials said: “Microsoft is aware of limited attacks attempting to exploit the vulnerability. However, when the security bulletin was released, Microsoft had not seen any examples of proof of concept code published.” A corresponding exploitability index said only that exploit code was “likely.” But according to Lin, he and his colleagues discovered the attack on June 1 and worked with Microsoft as it prepared Tuesday’s fix.

Microsoft on Tuesday issued a temporary fix for a separate vulnerability that attackers are also exploiting to execute malicious code on end-user machines. According to Zero-Day blogger Ryan Naraine, attacks targeting that vulnerability, which resides in an XML component included in Windows, prompted recent warnings Google issued to users who may be the victims of state-sponsored attacks.