Critical Zero-Day Flaw Opens Holes in IE 6 and 7

A newly discovered threat that doesn't yet have any patch can allow for a Web-based attack against up-to-date Internet Explorer 6 and 7 browsers, according to security companies. The site could be a specifically created malicious site, or one that was hijacked and had the attack code inserted. Both Symantec and Vupen Security have posted alerts about the bug, which involves the way IE handles cascading style sheets, or CSS. According to the posts, browsing a Web site with embedded attack code would trigger the assault.

According to Vupen's post, the flaw affects both IE 6 and 7 on a fully patched XP SP3 computer and could allow for running any command on a vulnerable system, such as installing malware. Symantec's post says its tests confirm the published exploit works, but that it "exhibits signs of poor reliability," ie. it doesn't always work. There aren't yet any reports of active attacks, but exploit code is publicly available. An additional e-mail from Symantec says that Vista is affected as well, but Microsoft has not yet confirmed the vulnerability. According to Vupen, disabling Active Scripting in the Internet and Local intranet security zones will block attacks against this flaw, but doing so would likely block Web site functionality as well. Zero-days that affect IE are typically major threats, so attackers will likely begin hiding attacks that target this flaw on compromised Web sites, and spewing out e-mails and online comments with links to sites that contain attacks.

Current reports do not list IE 8 as vulnerable, but Symantec warns that "there are possibilities that other versions of IE and Windows may also be affected." Your best bet may be to use an alternate browser such as Firefox until a patch is available.

0 comments:

Post a Comment