Proof-of-concept code for an attack targeting old versions of Microsoft Internet Explorer has made its way online.
According to Symantec, someone posted the code Nov. 20 to the Bugtraq mailing list. The code targets a flaw tied to how Internet Explorer (IE) uses cascading style sheet ( CSS) information. CSSis used in many Web pages to define the presentation of the sites’ content.
The flaw is known to affect IE 6 and IE 7. The most current version of the browser, IE 8, is not thought to be impacted. IE 6 and IE 7 are still widely used however, and by one estimate account for roughly 41 percent of the Web browser market share.
“The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future,” Symantec researchers noted in a blog post Nov. 21. “When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.”
Researchers at Vupen Security stated in an advisory that the issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method. If exploited successfully, attackers could the browser or execute arbitrary code by tricking a user into visiting a malicious web page.
As a fix, Vupen advised users to disable active scripting in the Internet and Local intranet security zones.
Microsoft could not be reached for comment.