Exploit Out for Microsoft IE Flaw

Just days after Microsoft revealed the existence of a "critical" flaw in its Internet Explorer (IE) Web Browser, word is out that exploit code for this as yet unpatched flaw is already doing the rounds of the Internet.

Microsoft says that the flaw lies in the way IE processes information using the createTextRange method, and that the vulnerability can allow a potential hacker to execute arbitrary code on affected systems.

The vulnerability exists in fully patched systems with IE 6.0 running Microsoft Windows XP Service Pack 2, as also in the IE 7 Beta 2 Preview (January Edition).

According to Secure Elements, a Virginia-based security firm, the exploit has been posted on several Web sites and is such that even not-so-professional hackers can use it to take advantage of the IE vulnerability.

Secure Elements also says that its only a matter of time before the exploit gets transformed into a virus or worm capable of inflicting huge damage on unprotected systems.

Thanks to the public availability of the exploit, the SANS Internet Storm Center has raised its alert levels from the normal Green to Yellow for the next 24 hours.

Apparently the exploit code was initially released by a group of attackers called Unl0ck.net, and has since been published on various Web sites.

On one hand, Microsoft says that the IE flaw cannot be exploited automatically via email or while viewing email through the preview pane; on the other hand the company is not ruling out the possibility of an out-of-cycle, emergency patch for this flaw just in case matters get worse.

http://www.techtree.com/techtree/jsp/article.jsp?article_id=72141&cat_id=643