Researcher publishes exploit for new IE hole
Clues in McAfee blog post led researcher to existing exploit code, which he then analyzed to write his own code.
An Israeli security researcher has published exploit code for an unpatched hole in Internet Explorer that Microsoft disclosed two days ago.
Microsoft had warned inthat a new vulnerability in IE 6 and IE 7, which could allow an attacker to take control of a computer, had been targeted in attacks.
Releasing the exploit code publicly increases the chances of attacks on the zero-day hole and could pressure Microsoft to issue a patch before its next scheduled Patch Tuesday in four weeks.
Researcher Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit database.
He was able to create the exploit code after figuring out where an existing exploit was in the wild, based on information in a McAfee blog post, he told Ryan Naraine of the Zero Day blog at CNET sister site ZDNet. It took him about 10 minutes to de-obfuscate the exploit and pinpoint the vulnerability, he said.
Ben Abu told CNET that he would have found the original exploit code sooner or later without McAfee's help.
Asked how serious the zero-day hole is, he wrote in an e-mail to CNET: "The exploit covers Internet Explorer versions 6 and 7, which are not the latest version [IE 8] but many users still use it. In addition, the exploit is quite unstable, with about 60 percent to 70 percent success rate. So I guess it is critical, but not for users who update their Windows with the latest IE."
Microsoft's advisory on the vulnerability includes information on workarounds but suggests that IE 6 and IE 7 users upgrade to IE 8 immediately.
A McAfee spokesman said the company would be more careful about the details provided in its blog posts in the future.
"McAfee Labs does not support the release of exploit code, particularly in advance of a security patch being made available. We regularly sanitize blog content to prevent providing information that might assist attackers, while at the same time providing a service to customers and the security community to help improve protection levels," the spokesman said in a statement via e-mail. "The post in question did not contain enough information to directly lead anyone to exploit code. However, we regret that in this unique situation the post did contain details that may have given exploit writers a starting point to hunt for exploit code. Future blog posts will be subject to additional sanitization."
Updated at 11:44 a.m. PST with comment from McAfee and updated at 10:37 p.m. PST with comment from Ben Abu.