Exploit Code Available For Zero-Day IE Flaw

Microsoft warned of a critical, zero-day vulnerability affecting Internet Explorer 6 and 7 Web browsers on Windows XP and Vista, which paves the way for hackers to download malicious code onto users' PCs.

Symantec security researchers published proof-of-concept code detailing the exploit on the BugTraq security mailing list over the weekend. To launch a successful attack, hackers could install malicious code on users' PCs by enticing potential victims to either click on a malicious link leading to a specially crafted Web page or by visiting an existing site infected with the exploit. Hackers typically lure victims to infected sites through some social engineering scheme conducted over e-mail.

Security researchers say that the exploit thus far appears to only affect IE 6 and 7 on Windows XP and Vista but could possibly affect other versions of both IE and Windows. Microsoft's latest IE 8 browser does not appear to be affected by the flaw.

Specifically, the IE bug occurs in the way IE uses cascading style sheet (CSS) information, which ultimately enables hackers to inject the exploit into otherwise legitimate Web sites, according to reports from Symantec. CSS is a function used in Web sites to define the presentation of the site's content.

So far, the exploit has exhibited signs of poor reliability, but Symantec researchers said in a blog that they expect hackers to develop a fully functional version of the attack in the near future.

Meanwhile, Symantec researchers advise users to disable JavaScript until Microsoft releases a fix for the bug. Symantec experts also recommend that in general users should keep their antivirus software up-to-date and only visit known and trusted Web sites to stay protected from future attacks.