Unpatched IE Flaw Now Exploitable

Proof of Concept (PoC) code has now been publicly released for a flaw, which security advisory firm Secunia rated “extremely critical.” It is potentially leaving untold millions of Microsoft Internet Explorer users at risk.

The Microsoft Internet Explorer JavaScript window DoS vulnerability was originally reported at the end of May.

The flaw could potentially allow a malicious remote user to trigger a DoS by way of a JavaScript onload event that calls the window function.

“Contrary to popular beliefs, the aforementioned security issue is susceptible to remote, arbitrary code execution, yielding full system access with the privileges of the underlying user,” according to security firm, Computer Terrorism.

To back up its point and ultimately put millions of users at risk of attack, Computer Terrorism has posted proof of concept code that demonstrates how easy it is to compromise a fully patched IE user’s PC.

Johannes Ullrich of the SANS Internet Storm Center (ISC) noted that the flaw allows for arbitrary executables to be executed without user interaction.

Computer Terrorism’s PoC demo will launch a calculator (calc.exe), though Ullrich commented that there is also a version that will allow a user to open a remote shell.

As a result of the publicly available PoC, security news aggregator Secunia has upped its assessment of the flaw to extremely critical, its highest security warning level.

IE users are being advised to disable JavaScript on non-trusted sites until a patch is released.

This article was first published on InternetNews.com. To read the full article, click here.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Related articles