A newly discovered threat that doesn’t yet have any patch can allow for a Web-based attack against up-to-date Internet Explorer 6 and 7 browsers, according to security companies.
Both Symantec and Vupen Security have posted alerts about the bug, which involves the way IE handles cascading style sheets, or CSS. According to the posts, browsing a Web site with embedded attack code would trigger the assault. The site could be a specifically created malicious site, or one that was hijacked and had the attack code inserted.
According to Vupen’s post, the flaw affects both IE 6 and 7 on a fully patched XP SP3 computer and could allow for running any command on a vulnerable system, such as installing malware. There aren’t yet any reports of active attacks, but exploit code is publicly available.
Symantec’s post says its tests confirm the published exploit works, but that it “exhibits signs of poor reliability,” ie. it doesn’t always work. An additional e-mail from Symantec says that Vista is affected as well, but Microsoft has not yet confirmed the vulnerability.
Zero-days that affect IE are typically major threats, so attackers will likely begin hiding attacks that target this flaw on compromised Web sites, and spewing out e-mails and online comments with links to sites that contain attacks.
According to Vupen, disabling Active Scripting in the Internet and Local intranet security zones will block attacks against this flaw, but doing so would likely block Web site functionality as well. Current reports do not list IE 8 as vulnerable, but Symantec warns that “there are possibilities that other versions of IE and Windows may also be affected.” Your best bet may be to use an alternate browser such as Firefox until a patch is available.
Update (1:55pm): Microsoft has confirmed that the vulnerability affects IE 6 and IE 7, but not IE 8. The company says it is not currently aware of any existing attacks against the flaw, and may decide to release an out-of-band patch once it has finished its investigation.