Proof-of-concept code for an attack targeting old versions of Microsoft Internet Explorer has made its way online.
According to Symantec, someone posted the code Nov. 20 to the Bugtraq mailing list. The code targets a flaw tied to how Internet Explorer (IE) uses cascading style sheet ( CSS) information. CSSis used in many Web pages to define the presentation of the sites’ content.
The flaw is known to affect IE 6 and IE 7. The most current version of the browser, IE 8, is not thought to be impacted. IE 6 and IE 7 are still widely used however, and by one estimate account for roughly 41 percent of the Web browser market share.
Researchers at Vupen Security stated in an advisory that the issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method. If exploited successfully, attackers could the browser or execute arbitrary code by tricking a user into visiting a malicious web page.
As a fix, Vupen advised users to disable active scripting in the Internet and Local intranet security zones.
Microsoft could not be reached for comment.