Symantec confirms Internet Explorer exploit

A new exploit targeting Internet Explorer has been published on the BugTraq mailing list. According to Symantec, the exploit takes advantage of a critical cascading style sheet (CSS) vulnerability. 

“[We] conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well. [However], the exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future,” Symantec explained in an official blog post.

“When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. [But] they must [first] lure victims to their malicious Web page or a Web site they have compromised. [Yet], in both cases, the attack requires JavaScript to exploit Internet Explorer. [As such], IE users should disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft.”

The latest Zero Day IE exploit has also been confirmed by Vupen Security, which provided a detailed description of the vulnerability.

“This [exploit] is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the ‘getElementsByTagName()’ method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.”??

It should be noted that Vupen Security lists the exploit as only affecting versions 6 and 7 of Internet Explorer.??

See Also
?Mutant Koobface worm attacks Skype accounts
China has free reign over US computers
?Microsoft issues Windows 7 security advisory
Stealth malware steals jailbroken iPhone data
Adobe sneaks out mega security patch