Researchers at Symantec say exploit code for a zero-day security vulnerability has been uncovered in Internet Explorer 6 and 7.
Proof-of-concept code for an attack targeting old versions of Microsoft Internet Explorer has made its way online.According to Symantec, someone posted the code Nov. 20 to the Bugtraq mailing list. The code targets a flaw tied to how Internet Explorer (IE) uses cascading style sheet (CSS) information. CSSis used in many Web pages to define the presentation of the sites' content.
The flaw is known to affect IE 6 and IE 7. The most current version of the browser, IE 8, is not thought to be impacted. IE 6 and IE 7 are still widely used however, and by one estimate account for roughly 41 percent of the Web browser market share.
"The exploit currently exhibits signs of poor reliability, but we
expect that a fully-functional reliable exploit will be available in
the near future," Symantec researchers noted in a blog post Nov.
21. "When this happens, attackers will have the ability to insert
the exploit into Web sites, infecting potential visitors. For an
attacker to launch a successful attack, they must lure victims to their
malicious Web page or a Web site they have compromised. In both cases,
objects via the "getElementsByTagName()" method. If exploited
successfully, attackers could the browser or execute arbitrary code by
tricking a user into visiting a malicious web page.As a fix, Vupen advised users to disable active scripting in the Internet and Local intranet security zones.Microsoft could not be reached for comment.