With attack code public, Microsoft said it is investigating a report of a new vulnerability impacting Internet Explorer.
With Patch Tuesday looming, Microsoft is investigating new reports of a
zero-day vulnerability impacting Internet Explorer.
Exploit code for the vulnerability was posted Dec. 8 on the Full Disclosure
mailing list. The bug affects Internet Explorer versions 6, 7 and 8 across
multiple versions of Windows, including Windows 7 and Windows Vista.
There is no patch currently available for the bug. According to an analysis
by security firm VUPEN Security, the vulnerability could be used by attackers
to take complete control of a vulnerable system.
"This issue is caused by a use-after-free error within the 'mshtml.dll'
library when processing a web page referencing a CSS
(Cascading Style Sheets) file that includes various '@import' rules, which
could allow remote attackers to execute arbitrary code via a specially crafted
web page," according
, which rated the vulnerability "critical." "VUPEN
has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows
7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on
Windows XP SP3."
On Dec. 14, Microsoft
plans to release
its final Patch Tuesday security update for the year,
complete with 17 security bulletins and 40 security fixes. Included in there is
a fix for another IE bug that the company first warned users about in November
after attackers began pounding it with attacks.
The 17 security bulletins break a record for the company, though its current
high for vulnerabilities patched in an update-49, a mark set in October-looks
like it will remain untouched.
Jerry Bryant, group manager of response communications at Microsoft, said
the company is unaware of any attacks targeting the latest IE bug.
"Once we're done investigating, we will take appropriate action to help
protect customers," he said. "This may include providing a security
update through the monthly release process, an out-of-cycle update or
additional guidance to help customers protect themselves."