Daily cyber threats and internet security news: network security, online safety and latest security alerts
November 24th, 2009

Critical 0-day Vulnerability In Internet Explorer 6 And 7, Exploit Already Published

Exploit code for a critical (remotely exploitable) vulnerability in Microsoft’s Internet Explorer 7 browser has been released on the Internet, prompting a new round “upgrade now!” warnings from computer security experts. The vulnerability could be used in malware attacks to take complete control of a Windows machine running IE 6 or IE 7, according to an advisory issued over the  weekend.

The vulnerability could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability was confirmed on fully patched Windows XP SP3 systems with Internet Explorer 6 and 7. For IE users unable (or unwilling) to upgrade to IE 8, you can disable Active Scripting in the Internet and Local intranet security zones.

Security researchers at Symantec have tested the published exploit and warned that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.

Microsoft has issued an advisory with mitigation guidance, it can be found here.

Credit: Security Blogs

Share this item with others:

More on CyberInsecure:
  • RealPlayer Vulnerability Exploited In The Wild
  • Cross-Domain Vulnerability In Microsoft Internet Explorer 6
  • Zero-Day Internet Explorer Vulnerability Exploited In Targeted Email Attacks
  • 0-Day Vulnerability In Internet Explorer 6, 7 and 8, Exploit Code Already Released
  • Critical Internet Explorer Security Vulnerability Fixed By Microsoft

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Critical 0-day Vulnerability In Internet Explorer 6 And 7, Exploit Already Published

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.