Unpatched machines targeted by IE 7 attacks

A vulnerability in Internet Explorer 7 which Microsoft released an update for last week is already being actively exploited, according to anti-virus vendors.

Microsoft warned at the time that unpatched machines could be compromised if criminals created an attack that took advantage of the flaw referred to as MS09-002 - and it appears that this is already the case.

Vendors including McAfee and Trend Micro, as well as the security training group SANS Institute, confirmed that attacks were being seen in the wild, often in the form of a Word file.

The Word document contains an embedded Active X control, which connects to a website hosting the exploit. This is rigged with malicious script, which can steal information.

Jake Soriano, technical communications for Trend Micro, said on its blog that IE 7 was targeted because it was still the dominant web browser.

He said: "IE7 is used by about every one in every four web users, a much larger share than previous versions of IE. This could explain why cybercriminals seem to be eagerly searching for more bugs."

Last December, a critical vulnerability hit IE, affecting millions of users after hackers quickly pounced on it using SQL injection attacks. That attack was serious enough to warrant an out-of-band patch, as the flaw had also spread to other versions of IE.