KB 870669: It’s been a tough couple of weeks for users of Internet Explorer, the browser relied upon (by default) by about 95% of the Web-surfing population worldwide. The most recent exploit of IE security flaws, known as the “Download.Ject” attack, is at this writing only partially patched by a Microsoft workaround. The confirmed existence of related but unpatched holes is very likely to lead hackers to develop new attacks based on the successful blueprints that have already swept the Internet.
Download.Ject is quite unusual because it exploits holes on both the server and the client. Like previous attacks, the server-side vulnerabilities had been the subject of a previously released patch, but many companies had neglected to install the fix. By contrast, the client vulnerability was previously unknown, causing Microsoft to scramble for a quick answer.
How the Download.Ject attack works
Within 24 hours, Microsoft had succeeded in shutting down the Russian Web server, though details are still sketchy. Regardless, the shutdown had the desired results: The initial Download.Ject attack was over because the server responsible for redirecting users and downloading their keystroke logs was offline. All that was left to do was to sift through the mess, figure out what happened, and see how Microsoft responded to the threat.