A security researcher said he has located a zero-day vulnerability in a printing feature on Internet Explorer
(IE) that could allow remote attackers to execute malicious code.
The vulnerability lies in the "Print Table of Links" feature, which users can choose to click on when they print a web page. Doing so produces a printed appendix that contains a table of all the links in the page they are printing.
But Israeli researcher Aviv Raff wrote in his blog
that an attacker can add a specially crafted link to a web page that accepts user-generated content. Should someone print this page and enable the "Print Table of Links" feature, the attacker can launch arbitrary code on the victim's machine, Raff said.
This can happen because IE leverages a "local resource script" to generate new HTML anytime a user prints a page, he said. However, the browser fails to vet all the links contained on the page.
"While the script takes only the text within the link's inner data, it does not validate the URL of links, and adds it to the HTML as it is," Raff said. "This allows [an attacker] to inject a script that will be executed when the new HTML is generated."
Bill Sisk, security response communications manager at Microsoft, told SCMagazineUS.com Friday that the company was aware of publicly posted exploit code targeting the vulnerability but it does not consider the flaw a major threat.
"Thus far, our investigation has shown an attack would require significant user interaction," he said. "An attacker would need to convince a user to select a non-default printing option and print a malicious web page in order for an attack to be successful. We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."
Once it completes its investigation, Microsoft likely will delivery a patch to remedy the issue, he said.
The bug is confirmed to affect IE versions 7 and 8 on Windows XP machines, Raff said. Vista units on which user account control (UAC) is enabled are only susceptible to information loss - not code execution.