Symantec confirms Internet Explorer exploit
By siliconindia   |   Tuesday, 24 November 2009, 15:04 IST   |    1 Comments
Printer Print Email Email
Symantec confirms Internet Explorer exploit
Bangalore: A new exploit targeting Internet Explorer has been published on the BugTraq mailing list. According to security solutions provider Symantec, the exploit takes advantage of a critical cascading style sheet (CSS) vulnerability. "We conducted further tests and confirmed that it affects Internet Explorer (IE) versions 6 and 7 as well. However, the exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future," Symantec explained in an official blog post. "When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. But they must first lure victims to their malicious Web page or a Web site they have compromised. Yet, in both cases, the attack requires JavaScript to exploit Internet Explorer. As such, IE users should disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft," Symantec added. The latest Zero Day IE exploit has also been confirmed by IT security research firm Vupen Security, which provided a detailed description of the vulnerability, reports TGDaily. According to Vupen, This exploit is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the 'getElementsByTagName()' method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page. It should be noted that Vupen Security lists the exploit as only affecting versions 6 and 7 of Internet Explorer.??

siliconindia