Proof-of-concept for new IE flaw forebodes web danger

Proof-of-concept (PoC) code that targets a new zero-day vulnerability in Internet Explorer (IE) currently is circulating, but so far, attackers have been unable to create an exploit capable of executing malicious code.

The flaw is present in IE version 6 and 7 and involves the way in which the browser handles cascading style sheets, a style sheet language common on websites, Ben Greenbaum, senior research manager at Symantec Security Response, told SCMagazineUS.com on Monday.

A PoC that appeared Friday on the BugTraq mailing list could be used to modify the browser's memory, which causes it to crash, Greenbaum said. However, successful attackers would need to leverage "heap spraying," a fairly unreliable exploit technique.

Virus writers, though, likely are hard at work to develop a more functional and severe exploit, he said.

"In order to run code of the attacker's choice, there would have to be a lot more work done than we're seeing in the proof-of-concept," he said. "Attackers know about this flaw and are going to be diligently working to make it reliable and to make it execute their code, and that's when we're going to see real problems."

A Microsoft spokeswoman told SCMagazineUS.com on Monday that the software giant is aware of the published PoC and is investigating, though there are no reports of customer impact. The company next is scheduled to distribute security patches on December 8.

In the meantime, Greenbaum said he suggests users visit only known websites and avoid clicking on untrusted links in emails. In addition, users can disable JavaScript, which would prevent malicious code from executing.