Network News

X My Profile
View More Activity

Exploit for Unpatched IE Flaw Released

Researchers have released computer code demonstrating how to exploit a previously unknown security hole in Microsoft's Internet Explorer Web browser to take over Windows computers.

I'm still wading through the code to figure out exactly what this bugger does, but it appears to exploit a vulnerable, unpatched component of Javascript in IE to run any program residing on the victim's system.

The exploit could be embedded into a malicious Web site so that users who the browse the site with IE could quickly find their computer under the control of the site owner. For example, the site could use the exploit to force the victim's computer to initiate a file transfer or download.

Assuming this code works, I'm afraid that we will very soon see Web sites using it to install spyware, adware or viruses on visiting PCs. Until Microsoft issues some sort of workaround or patch, I would recommend anyone using IE to switch browsers. Now would be an excellent time to give another browser a whirl, such as Firefox, Opera or Netscape.

Security Fix will post updates if we hear from Microsoft on this threat or if anyone spots the exploit being used in the wild.

Update, 3:24 p.m., ET: Microsoft says it is investigating reports of a vulnerability in IE for customers running Windows 2000 Service Pack 4, and for Windows XP users running Service Pack 2. Microsoft said customers running Windows Server 2003 and Windows Server 2003 SP1 in their default configurations, with the Enhanced Security Configuration turned on are not affected.

By Brian Krebs  |  November 21, 2005; 10:17 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Sony, Amazon Detail CD Buyback
Next: EFF, Texas Attorney General Sue Sony


One temporary work around for this, if you must use IE, is to disable 'active scripting' for non-trusted sites.

From what I understand this was originally reported to Microsoft back in May as a Denial of Service vulnerability and it seems Microsoft didn't acknowledge it. On's site (who released the PoC code) it says this is a reclassification of the original DoS advisory. I'm wondering if a second report was sent to Microsoft after finding remote code execution functionality before releasing the 'reclassification'.

Posted by: David Taylor | November 21, 2005 10:53 AM | Report abuse

Thanks for that, David. For what it's worth, Johannes Ullrich over at SANS has tested the exploit code and confirmed that it allows remote code execution, after which it tanks the victim's browser.

Posted by: Bk | November 21, 2005 10:56 AM | Report abuse

The question I have is did Microsoft really overlook the original vulnerability. If so then well done the researchers for forcing this reclassification. If not why was it left nearly 6 months+ for a patch release. I look forward in anticiption for the statement from Microsoft.

Posted by: Barry 'cueball' White | November 21, 2005 12:19 PM | Report abuse

Anyone still using Internet Explorer at this late date is taking a lot of unnecessary risks.

Switch to Firefox.

Posted by: Joseph | November 21, 2005 1:11 PM | Report abuse

When organizations or security companies release code that could be used to exploit a security flaw, such as this one, do they notify Microsoft about the problem before going public?

Knowing that such vulnerabilities exist may be important to all of us, but what's the ultimate responsibility of experts who are finding these holes for the supposed good of users?

Posted by: corbett | November 21, 2005 1:19 PM | Report abuse

Microsoft confirmed that this issue was reported back in May as a stability issue. They also stated that the public disclosure of this new and improved version (Remote code execution) wasn't disclosed responsibly. This has put users of Microsoft Windows at great risk since there is not a patch to address the issue.

Now the hackers have another tool to use in their quest to take control of our systems and to steal our information for personal gain. Thanks!

Posted by: David Taylor | November 22, 2005 6:25 AM | Report abuse

Everybody should switch to firefox now. Microsoft does not care about its customers just its stockholders.

They also can't patch ie as quick as firefox because it is so embedded in their os they have test a million other things to see if the patch breaks anything else. That is if they even acknowledge that a proble exists.

Posted by: js | November 22, 2005 8:17 AM | Report abuse

If u don't visit porn webistes u won't be affected... lol if u are going to do so go and get another browser...

Posted by: Joe | November 22, 2005 12:40 PM | Report abuse

If u don't visit porn webistes u won't be affected... lol if u are going to do so go and get another browser...

Posted by: Joe | November 22, 2005 12:41 PM | Report abuse

anybody ever hear of advanced browser ?
works great for me, and it's free, too !

Posted by: willie | November 28, 2005 5:08 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company