Exploit for Unpatched Internet Explorer vulnerability
Well…. buckle your seatbelts it’s going to be a bumpy start to the week.
the securityfix as well as incidents.org are reporting on exploit code that has been released that takes advantage of an unpatched Internet Explorer vulnerability. According to the Sans institute diary entry… they have tested the exploit code and it remotely launched the calculator application, so this is a remote code execution vulnerability and can have SERIOUS consequences.
The exploit is in IE’s javascript, so one way to workaround is to disable javascript in IE. Another way is to use a different browser. No joke. Opera, Mozilla Firefox, or Netscape are all safe alternatives for this exploit. Of course, my favorite is firefox…
It is noted by incidents that future javascript vulnerabilities could be found that affect other browsers such as firefox. As always keep current on updates and it pays to tune into a site such as the securityfix or Incidents.org (sans institute, or here. I cannot guarantee that I’ll be getting things out as fresh as the two above though.
There is currently NO PATCH OR UPDATE for this Explorer vulnerability and it allows remote code execution. So, a malicious website could exploit it to remotely install spyware or adware for instance. If you browse with Internet Explorer right now, you are running a fair risk.
This would be what’s called a 0-day (zero-day) exploit, one that takes advantage of a previously unknown or unpatched vulnerability.
–update 12:03PM EST–
I’m seeing reports of the exploit code causing browser crashes, so it may be that it’s not 100% “effective” at the remote software execution. It still should be considered very serious. Secunia rates it at the highest severity “extremely critical”. It appears that this is a revision of an earlier vulnerability (the earlier vulnerability was reported as a Denial of Service attack vulnerability, this new angle ups the ante to remote code execution.)
–update 7:26PM EST–
The Sans Institute has raised the infocon to Yellow in light of the issue this afternoon. (You may notice the bar on the bottom of these pages. They also have reports that the DoS (Denial of Service ) attack affects Safari on OS X, but haven’t been able to duplicate on either 10.3 or 10.4…
From Microsoft, Windows Server 2003 and Server 2003 SP1 running in Enhanced Security Configuration (their default) are unaffected, at this point all others should be expected to be at risk.
–update 11:54PM EST–
Here’s the link to Microsoft’s advisory.