Microsoft Investigates New IE Security Vulnerability

With attack code public, Microsoft said it is investigating a report of a new vulnerability impacting Internet Explorer.

With Patch Tuesday looming, Microsoft is investigating new reports of a zero-day vulnerability impacting Internet Explorer.

Exploit code for the vulnerability was posted Dec. 8 on the Full Disclosure mailing list. The bug affects Internet Explorer versions 6, 7 and 8 across multiple versions of Windows, including Windows 7 and Windows Vista.

There is no patch currently available for the bug. According to an analysis by security firm VUPEN Security, the vulnerability could be used by attackers to take complete control of a vulnerable system.

"This issue is caused by a use-after-free error within the 'mshtml.dll' library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various '@import' rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page," according to VUPEN, which rated the vulnerability "critical." "VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3."

On Dec. 14, Microsoft plans to release its final Patch Tuesday security update for the year, complete with 17 security bulletins and 40 security fixes. Included in there is a fix for another IE bug that the company first warned users about in November after attackers began pounding it with attacks.

The 17 security bulletins break a record for the company, though its current high for vulnerabilities patched in an update-49, a mark set in October-looks like it will remain untouched.

Jerry Bryant, group manager of response communications at Microsoft, said the company is unaware of any attacks targeting the latest IE bug.

"Once we're done investigating, we will take appropriate action to help protect customers," he said. "This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."