Microsoft IE exploit code unreliable, but more coming

HEAD: Microsoft IE exploit code unreliable, but more comingDECK: Microsoft IE6, IE7 vulnerable to zero-day exploit Symantec says

Abstract: Symantec Monday said the Internet Explorer zero-day exploit code published over the weekend does not work Symantec Monday said the Internet Explorer zero-day exploit code published over the weekend does not work reliably but that a better written version is likely on the way.

The Symantec Security Response division also said its research reveals that the exploit works on IE6 and IE7 and there is no reason yet to suspect that it works on other versions of the browser.

15 secrets of next-gen browsersThose two versions, however, comprise nearly 40% of the browsers in use today.

Symantec said that the affected Windows platforms running IE6 or IE7 include XP, Vista, 2000 client and server and 2003 server. Symantec is testing other versions of Windows to see if they are vulnerable when running IE6 or IE7.

The exploit code was released over the weekend on the BugTraq mailing list. It exposes a flaw in Cascading Style Sheets that could allow for remote code execution.

Vulnerabilities that allow remote code execution generally result in patches rated as critical by Microsoft, which is aware of the issue. Microsoft officials, however, had not returned an e-mail before this story was posted asking if it is currently working on a patch.

"There is no patch available, but on the other hand the exploit code is not very good," said Ben Greenbaum, senior research manager with Symantec Security Response. "So it is going to have to be fine tuned before it is a real threat. Right now, it is a potential threat. But it is just a matter of time before somebody finds a far more reliable method for exploiting this. "

Greenbaum said that the exploit code is inconsistent and often just results in the browser crashing rather than compromising the machine and gaining the capability for remote code execution.

"More often than not, it does not work," he said.

But Greenbaum said that Symantec's research team believes there is the eventual possibility for remote code execution. He did say Symantec has not seen any exploits in the wild, but that users should remain vigilant.

He said users could disable JavaScript in IE to protect against the exploit; however, that would result in the breaking some functionality on Web sites.

Greenbaum did note that it is not known if JavaScript is the only attack vector, but it is the only one that has been disclosed publicly.

He said Symantec has various protections out that would foil an attack by this exploit, but that others are also in the works.

For the attack to be carried out a user only has to be directed to a malicious Web page or visit a legitimate Web page that has been compromised with the exploit code.

IE has become a popular attack target for hackers. Just last month, Microsoft issued a patch rated critical to close a vulnerability in IE first disclosed at the Black Hat conference in July. In addition to IE, Firefox also can be vulnerable to the exploit when it is running the Windows Presentation Foundation plug-in, which gets installed via .Net Framework Service Pack 1.

Follow John on Twitter: twitter.com/johnfontana