Microsoft’s recent security updates fail to provide protection against a recently discovered zero-day vulnerability, which could provide opportunities for cyber criminals to compromise PCs.

Several websites were found rigged with a malicious JavaScript detected by Trend Micro as JS_DLOAD.MD. This script exploits this zero-day vulnerability in Internet Explorer, through a Heap Spray on SDHTML. It also checks for the IE version installed on the affected system, since this exploit targets IE7.

After a successful exploit, it triggers a series of redirections to multiple URLs, then finally connects to one of several different domains — a full list of malicious domains can be found over at ShadowServer, as they have been verifying the domains collected by them and from other security researchers across the industry.

We detect the downloaded files as the following:

• TSPY_ONLINEG.EJH
• TSPY_ONLINEG.EJG
• TSPY_ONLINEG.HAV
• TSPY_ONLINEG.ADR

The toolkit related to this exploit is reportedly being sold in the China underground community. This is quite logical, since TSPY_ONLINEG variants are notorious info-stealers — particularly stealing credentials related to online games, which in turn are very popular in China.

The Trend Micro Smart Protection Network provides protection to users at a desktop level, with all related malicious domains blocked, and files detected. However, this recently discovered flaw remains unpatched by Microsoft.

The SANS Internet Storm Center (ISC) also has additional information posted on this issue in their Daily Incident Handler’s blog.

This threat bears strong resemblance to a couple of attacks we’ve seen this year, which were primarily targeting Chinese gamers:

• A Very Convoluted Chinese Gaming-Info-Stealing Campaign
• Targeted Attack Against Chinese Gamers in New Zero-Day Exploit

Update as of 11 December 2008, 12:00 AM PST:

Trend Micro Researchers have found another sample of the said malware that downloads the file explorer.exe, which is now detected as RTKT_BUREY.C.

Update as of 12 December 2008, 4:00 AM PST:

Microsoft updated their Security Advisory initially published December 10. The update confirms that this zero-day vulnerability not only affects Internet Explorer 7 (IE7), but also all version of Internet Explorer.