Zero-Day Exploit Targets IE

Microsoft acknowledges a potential code execution vulnerability in its Internet Explorer browser after the public release of a proof-of-concept exploit.

Exploit code for a critical flaw in fully patched versions of Microsoft Corp.s Internet Explorer browser has been released on the Internet, putting millions of Web surfers at risk of computer hijack attacks.

The zero-day exploit, posted by a U.K.-based group called "Computer Terrorism," could allow a remote hacker to take complete control of a Windows system if the victim simply browses to a malicious Web site.

Ziff Davis Internet News have verified that the exploit works on fully patched Windows XP systems with default IE installations.

/zimages/5/28571.gifClick here to read more about Microsofts IE patch breaking Web sites.

The MSRC (Microsoft Security Response Center) is expected to release a security advisory to address the public reports.

A Microsoft spokeswoman acknowledged that customers running Windows 2000 SP4 and Windows XP SP2 were at risk. The Windows Server 2003 and Windows Server 2003 SP1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected.

"We have also been made aware of proof of concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time but Microsoft will continue to investigating these public reports," the spokeswoman added.

The proof-of-concept exploit, which is available from the FrSirt site, currently launched the Windows Calculator (calc.exe) but can be easily modified by malicious hackers.

Johannes Ullrich, chief technology officer at the SANS ISC (Internet Storm Center), warned that arbitrary executables may be launch without user interaction. An attacker must however lure the victim to visit a maliciously crafted Web site.

Ullrich said the ISC has already received reports that a new version of the exploit is capable of opening a remote shell. "The PoC exploit allows for easy copy/paste of various shell code snippets," he warned.

In a diary entry, Ullrich said the exploit targets a known bug in the JavaScript "Window()" function, when used in conjunction with a event. The onload is an argument to the HTML tag that is used to execute Javascript as the IE page loads.

/zimages/5/28571.gifClick here to read more about Microsoft correcting the IE patch download glitch.

The group that published the exploit said Microsoft has been aware of the Javascript Window() vulnerability for several months but was mistakenly treating it as a low-priority denial-of-service flaw.

Benjamin Tobias Franz, a German security researcher, originally published an advisory in May this year to warn of the denial-of-service bug.

However, according to the latest findings, the issue is much more serious and could allow remote, arbitrary code execution, yielding full system access with the privileges of the underlying user, according to a notice from Computer Terrorism (U.K.) Ltd.

The group said IE users should immediately disable "Active Scripting via the Tools > Internet Options > Security tab > Custom Level feature.

The SANS ISCs Ullrich said IE users should consider switching to Firefox or Opera.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.