Proof of Concept (PoC) code has now been publicly released for a flaw, which security advisory firm Secunia rated “extremely critical.” It is potentially leaving untold millions of Microsoft Internet Explorer users at risk.
“Contrary to popular beliefs, the aforementioned security issue is susceptible to remote, arbitrary code execution, yielding full system access with the privileges of the underlying user,” according to security firm, Computer Terrorism.
To back up its point and ultimately put millions of users at risk of attack, Computer Terrorism has posted proof of concept code that demonstrates how easy it is to compromise a fully patched IE user’s PC.
Johannes Ullrich of the SANS Internet Storm Center (ISC) noted that the flaw allows for arbitrary executables to be executed without user interaction.
Computer Terrorism’s PoC demo will launch a calculator (calc.exe), though Ullrich commented that there is also a version that will allow a user to open a remote shell.
As a result of the publicly available PoC, security news aggregator Secunia has upped its assessment of the flaw to extremely critical, its highest security warning level.