Exploit code posted for new Internet Explorer flaw

December 20th a video posted on offensive-security.com Demonstrated the CSS handling flaw. Following this post on December 22nd code published on Metasploit.com.

SCMagazine posted:

An exploit taking advantage of an unpatched vulnerability in Internet Explorer (IE) has gone public.

Security researcher Shahin Ramezany said in a Tuesday tweet that he was able to exploit the flaw, which involves the way IE handles CSS style sheets on Windows 7 and Vista machines.

A video demonstrating code execution was posted Monday by Offensive Security, a provider of security tools and training.

On Wednesday, exploit code was published as part of the open-source Metasploit hacking toolkit.

The flaw is able to bypass two built-in Windows security features: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), according to Ramezany.

Microsoft has not yet confirmed the vulnerability.

“We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” Dave Forstrom, director of trustworthy computing at Microsoft, told SCMagazineUS.com on Wednesday in an email. “Once we’re done investigating, we will take appropriate action to help protect customers.”

Read post from SCMagazine:
http://www.scmagazineus.com/exploit-code-posted-for-new-internet-explorer-flaw/article/193258/

On December 22nd Microsoft confirmed IE flaw, but claims its not yet being exploited. Looks like we will have to wait till The January 11th round of updates for the fix.

Microsoft has confirmed the presence of an unpatched vulnerability in all supported versions of its Internet Explorer (IE) browser.

The software giant on Tuesday evening EST released a security advisory, acknowledging the flaw that, if exploited, could result in the execution of remote code. The bug impacts IE versions 6, 7 and 8.

“The vulnerability exists due to the creation of uninitialized memory during a CSS [style sheets] function within Internet Explorer,” the advisory said. Users can be exploited if they visit a web page hosting the exploit.

Microsoft is not aware of any in-the-wild attacks targeting the vulnerability or of any affected customers, Carlene Chmaj, senior response communications manager for Microsoft’s Trustworthy Computing group, said in a blog post.

But proof-of-concept code exists. A video demonstrating code execution was posted Monday by Offensive Security, a provider of security tools and training. And on Wednesday, exploit code was published as part of the open-source Metasploit hacking toolkit.

Although the flaw is able to bypass two built-in Windows security features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), IE Protected Mode for Vista and subsequent versions of Windows “helps to limit the impact of currently known proof-of-concept exploits,” Chmaj wrote.

Microsoft is next due to release security fixes on Jan. 11. As of now, the company has no plans to issue an out-of-cycle patch for this vulnerability.

Read post from SCMagazine:
http://www.scmagazineus.com/microsoft-confirms-ie-flaw-not-yet-being-exploited/article/193310/



This entry was posted on Friday, December 24th, 2010 at 2:48 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.


Comments are closed.