Exploit code targets Internet Explorer zero-day display flaw

By Robert Westervelt, News Editor 23 Nov 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Symantec Corp. is warning of a new publicly available exploit code targeting an unpatched display vulnerability in Internet Explorer (IE) that could enable hackers to conduct drive-by attacks and spread malware on unsuspecting victim machines.

The IE zero-day vulnerability affects the way the browser handles cascading style sheet (CSS) information used to lay out webpages. The vulnerability affects Internet Explorer versions 6 and 7. Symantec said the IE zero-day attack could infect users by using malicious JavaScript code.

"The exploit currently exhibits signs of poor reliability, but we expect that a fully functional a reliable exploit will be available in the near future," Symantec said in a blog posting on Saturday. "For an attacker to launch a successful attack, they must lure victims to their malicious webpage or a website they have compromised."

Cupertino, Calif.-based Symantec said the IE zero-day exploit code appeared Friday on the Bugtraq mailing list. Symantec and several other security vendors are providing antivirus and IPS signatures to protect against the attack.

"Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit websites they trust until fixes are available from Microsoft," Symantec said.

IT security research and alert vendor VUPEN Security also reported the vulnerability on Saturday, saying the flaw is a dangling pointer in the Microsoft HTML Viewer (mshtml.dll).

Danish vulnerability clearinghouse Secunia gave the IE zero-day flaw a highly critical rating in an alert issued today. Secunia confirmed the vulnerability in IE6 on Windows XP SP2 and IE7 on Windows XP SP3A.

Microsoft has not yet acknowledged the vulnerabilities. The software giant patched a serious Windows kernel flaw earlier this month, fixing a vulnerability that enabled attackers to set up a malicious website and target users of Internet Explorer using embedded OpenType font.

Tags: Platform and OS Security Management,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform and OS Security Management Microsoft issues advisory on new IE security vulnerability Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft blue screen affecting few corporate PCs Microsoft to fix 26 flaws in Windows, Office Thin-client technologies surge thanks to easier security, says Deloitte Microsoft issues critical security update, blocks IE 6 attacks How to use Windows XP Mode in Windows 7 Microsoft to patch single Windows 2000 vulnerability How to prevent memory dump attacks Microsoft gives Internet Explorer a major security overhaul Web Application Security CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Avoid common Web application firewall configuration errors Microsoft gives Internet Explorer a major security overhaul

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary