Microsoft confirms the existence of proof-of-concept attack code for a flaw affecting Internet Explorer 6 and 7.
has confirmed the existence of a zero-day
bug in Internet Explorer 6 and 7.
Proof-of-concept attack code
for the flaw was posted Nov. 20 to the Bugtraq mailing list.
The flaw is tied to the way IE uses CSS
(Cascading Style Sheets) information.
According to Microsoft, the company is looking into how to best address the
"We're aware that detailed exploit code was published on the Internet
for the vulnerability, but we're currently unaware of any attacks trying to use
the claimed vulnerability or of customer impact," a Microsoft spokesperson
said Nov. 23. "Once we're done investigating, we will take appropriate
action to help protect customers. This may include providing a security update
through the monthly release process, an out-of-cycle update or additional
guidance to help customers protect themselves."
An analysis by
found the vulnerability is caused by a dangling pointer in
the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE
objects via the "getElementsByTagName()" method. If it is exploited
successfully, attackers could crash the browser or execute arbitrary code by
tricking a user into visiting a malicious Web page.
As a solution, Vupen recommends users disable active scripting in the
Internet and Local intranet security zones. If Microsoft decides to issue a
patch for the vulnerability, it may come Dec. 8 as part of the Patch
Tuesday security fixes.