Users who failed to patch their computers after Microsoft released its monthly Patch Tuesday update last week could be in trouble - an Internet Explorer (IE) browser vulnerability for which the patch was sent out is under attack again.

This IE patch released last week, for an "Uninitialized Memory Corruption" vulnerability, was rated critical by Microsoft (NASDAQ: MSFT). Also known as CVE-2009-0075, the vulnerability stems from how IE deals with objects that have been deleted.

An attack discovered yesterday targeted that vulnerability again. "Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release," said Raul Mohandas, in antivirus vendor McAfee's (NASDAQ: MFE) Avert Labs blog.

Hackers can exploit the Uninitialized Memory Corruption vulnerability by building a Web page that remotely executes code when it is visited.

Mohandas' blog posting said the latest attack is launched through a Microsoft Word document that contains an embedded ActiveX control. The ActiveX control connects to a Web site hosting the attack when it is opened.

This method is similar to the follow up to the zero-day attack on IE 7 in December that forced Microsoft to issue an out of band patch, Mohandas said in the blog.

Craig Schmugar, senior threat researcher at McAfee, told he is not sure whether or not hackers had reverse engineered the patch issued last week, although there is a good possibility that this is the case. "There's the concept of Exploit Wednesday on the heels of Patch Tuesday where, in the course of providing a fix, you provide an opportunity for the bad guys to attack people who can't patch their systems that quickly," he added.

However, Bojan Zdmja, writing on the Internet Storm Center's (ISC) Web site, appears convinced that the hacker reverse engineered the patch. The ISC was created in 2001 to provide free analysis and warning services to Internet users and organizations.

Users' troubles with their IE browser may not be over yet. Schmugar warned that, although the attacker is using a Word document now, nothing prevents the exploit from being used in a drive-by attack, where a tainted Web site automatically downloads malware onto visitors' sites. "We can, unfortunately, expect that this will happen very soon," he wrote on the ISC's Web site.

IE has been hit by a series of vulnerabilities in the past few months because the browser is a tempting target. "Internet Explorer vulnerabilities are more likely to yield exploit code after a patch because there are more tools around to create a new exploit," Schmugar said.

"Install the MS09-002 patch, which was sent out last week, immediately."

This article was first published on