Update:
Exploit code targeting Internet Explorer rated poor but workable Image: Microsoft.
Microsoft has issued a statement about the recent Internet Explorer 6 and 7 vulnerability disclosure. They have confirmed that the code disclosed is valid, but it will not work on Internet Explorer 8.
"Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer. We’re aware that detailed exploit code was published on the Internet for the vulnerability, but we’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," the statement said.
"Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves. We can confirm that this vulnerability affects IE6 and IE7, but not IE8." "To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. By reporting vulnerabilities directly to a vendor, it helps ensure that customers receive comprehensive, high-quality updates while reducing the risk of attack."
Update2 (14:14PM EST 11/23/09)
"We just released Security Advisory 977981 concerning an issue affecting Internet Explorer 6 and Internet Explorer 7 that could lead to remote code execution. I want to point out that Internet Explorer 8 is not affected on any platform and that running Protected Mode in Internet Explorer 7 on Windows Vista mitigates this issue. We provide more guidance and workarounds in the advisory so I encourage customers to review it right away." - Jerry Bryant, MSRC
Original:
Exploit code posted to Bugtraq is said to be of poor quality, but experts agree that while it isn’t the best code available, it is workable, and new code will surely be developed. The proof of concept code, which targets Internet Explorer 6 and Internet Explorer 7, will jack mshtml.dll and could result in a compromised system according to VUPEN Security.
The issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, VUPEN said.
VUPEN tested and confirmed the posted exploit code on fully patched Windows XP SP 3 systems running both Internet Explorer 6 and Internet Explorer 7. During tests, both systems were successfully attacked.
Symantec, who operates the Bugtraq list, said that the “exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future.”
“When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.”
Both Symantec and VUPEN suggest disabling JavaScript in Internet Explorer to help mitigate issues. In addition, Symantec reminded users to visit only trusted sites, and ensure that security software is updated with the latest signatures and definitions.
The downside to the trusted site element of Symantec’s advice is that the method of attack for this vulnerability can come from embedded code on a hijacked website. All summer long, various automated attacks have hit several sites online, compromising their legitimacy to spread Malware and Rogue anti-Virus. This means even trusted sites can sometimes pose risks. It’s up to the developers who create those sites to keep things in check.
So if you have to use Internet Explorer 6 or Internet Explorer 7, and cannot update to version 8, then disable JavaScript and use some caution. Microsoft has not commented on this new vulnerability, if they do we will update this story.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story