0day Treasure Hunt: Researcher Hides IE Attack on Web

Robert McMillan, IDG News Service

Wednesday, May 07, 2008 12:20 PM PDT

Security researcher Aviv Raff has published code that would allow someone to take control of a computer running Internet Explorer, but there's a catch. He's not saying exactly where he's hidden the attack.

"Somewhere in my blog, I embedded a proof-of-concept code which exploits this 0day vulnerability," Raff wrote in a Wednesday blog posting. A 0day attack is a previously undisclosed software flaw that has not been fixed by the software maker.

The bug, which affects Internet Explorer 7 and IE 8, could allow an attacker to run unauthorized software on a victim's computer. Raff informed Microsoft of the flaw on Tuesday and the software vendor has not yet patched it, Raff said.

Microsoft didn't get much time to fix the bug, but Raff said he didn't feel that Microsoft would address the issue quickly unless he went public with the vulnerability.

When he has followed Microsoft's responsible disclosure guidelines in the past, the company has been too slow to fix bugs, he said via instant message. "The last time I used their Responsible Disclosure policy it took them six months to fix one line of code."

For Raff's attack to work, the hacker would first have to put a small amount of HTML code on a Web site and then persuade the victim to use a specific Internet Explorer feature on that site, he said.

The Israeli hacker said that the idea of disclosing his attack in a treasure hunt came from a local custom of playing such games during Israel's Independence Day, which falls on Thursday.

Raff has put the code on his own Web site, and he will offer clues as to what people must do to trigger the flaw over the next few days. When triggered, Raff's proof-of-concept code launches two copies of Microsoft's calculator software on the victim's computer, but it could be altered to do something malicious.

Next Wednesday, he will release full details of the bug along with his proof-of-concept code.

Microsoft was unable to immediately comment for this story.

Recommend this story?
Vote Yes
Vote No
0 Yes
0 No
Email
Comment

Community Comments

News For Your Business

More News

PC World's Marketplace

PC World's Free Whitepapers

Security News

Viruses / Phishing / Spam - May 15, 2008
Wannabe Hackers Can Now Rent-a-Botnet Online fraudsters that aren't highly skilled in the arts of cyber crime can now rent a service that offers an all-in-one...
Security - May 13, 2008
Hackers Hijack a Half-Million Sites A variety of malware already infects millions of PCs in an accelerated attack, security expert warns.
Security - May 12, 2008
Hacker Posts Chilean Government Data on 6 Million An anonymous hacker has posted personal data about 6 million Chilean residents on the Internet, highlighting wider privacy...
Security - May 12, 2008
Hackers Create Their Own Social Network Hackers now have their own social network, backed by GnuCitizen, a high-profile "ethical hacking" group.

Latest Expert Blogs

Glenn Fleishman on Hardware - May 13, 2008 11:29 AM
AT&T Pushes Fiber Service for Small Businesses Small businesses can get fiber connections from AT&T as fast as 10 Mbps downstream for $100 per month, and receive a Wi-Fi gateway and Wi-Fi hotspot access as the cherry on top.
Neil McAllister on Software - May 15, 2008 10:17 AM
Flash Player 10 Available for Public Testing Adobe's next-generation browser plugin brings improved 3D, text handling, and graphics acceleration.
Erik Larkin on the Web - May 14, 2008 10:34 AM
Master Your Bookmarks Tips and tools for managing bookmarks in that ultimate productivity tool, the Web browser.

All Blogs

Featured Resources

Premier Content From Our Sponsors

Smart and affordable data protection for your organization. Visit the CDW Solution Center for more info...
Lenovo Laptop Showcase Balance performance and portability with Lenovo notebooks...

Best Prices on Security Software

Norton Internet Security 2008Price: $17.20

4.13 stars

Norton 360Price: $29.45

2.31 stars

Platinum Internet Security 8 (Full Product)Price: $10.00

5.00 stars

PANDA SOFTWARE Platinum 2006 Internet Security ( Windows )Price: $2.99

5.00 stars

Featured Whitepapers

White papers, case studies and product info from top brands

The 5 Reasons to Worry about Your DNS DNS servers are one of the most critical, yet vulnerable, network infrastructure applications. Because of their exposure to the Internet, they are among the most vulnerable computers that an organization deploys. This whitepaper explains the top fi...