Microsoft Warns of IE Exploit Code in The Wild

Microsoft on Monday said it is investigating a possible vulnerability in Internet Explorer after exploit code that allegedly can be used to take control of computers, if they visit a Web site hosting the code, was posted to a security mailing list.

Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not IE 8, and it said it is “currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” according to a statement.

 

The exploit code was published to the BugTraq mailing list on Friday with no explanation.

 

“The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites’ content,” Symantec wrote in a blog post this weekend.

 

“The exploit currently exhibits signs of poor reliability, but we expect that a fully functional, reliable exploit will be available in the near future,” Symantec said. Symantec urges IE users to keep their antivirus software up-to-date, disable JavaScript, and visit only trusted Web sites, until Microsoft issues a patch for the hole.

 

Anyone believed to have been affected can visit Microsoft’s Consumer Security Support Center, report it to the Internet Crime Complaint Center, and contact the FBI or law enforcement in the particular country, Microsoft said. U.S. residents can also call Microsoft’s PC Safety Customer Service and Support number at 1-866-727-2338.

 

In July, critical holes in IE prompted Microsoft to issue a rare out-of-cycle (in other words, pre-Patch Tuesday) fix.

 

Source: Cnet

Related posts:

1. Microsoft IIS web server under attack from hackers
2. Cracked Windows – Microsoft warns of critical flaw
3. 16 July 2009 Microsoft Security Updates
4. Operation Aurora: Microsoft knew about Internet Explorer flaw for four months
5. Serious IE ActiveX Vulnerability Discovered