Attack code targets new IE hole
Code that exploits a serious, yet-to-be-patched hole in Microsoft's Web browser has been posted on the Net.
The code was published on public Web sites, where it is accessible to miscreants who might use it to craft attacks on vulnerable Windows computers. Microsoft is investigating the issue, the company representative said in a statement Thursday.
"Microsoft's initial investigation reveals that this exploit code could allow an attacker to execute memory corruption," the representative said. As a workaround to protect against potential attacks, Microsoft suggests Windows users disable ActiveX and active scripting controls.
The flaw is due to an error in an ActiveX control related to multimedia features and could be exploited by viewing a rigged Web page, Symantec said in an alert sent to users of its DeepSight security intelligence service Thursday. An attacker could commandeer a Windows PC or cause IE to crash, the security company said.
IE versions 5.01 and 6 on all current versions of Windows are affected, the French Security Incident Response Team, or FrSIRT, a security-monitoring company, said in an alert Wednesday. FrSIRT deems the issue "critical," its most serious rating. Microsoft noted that Windows 2003 running Enhanced Security Configuration is not affected.
Upon completion of its investigation, Microsoft may issue a patch for the flaw as part of its monthly release process, the company said. Microsoft is not aware of any attacks that attempt to exploit the new IE vulnerability at this time, it said.
The warning of the new flaw comes only days after Microsoft released its September patches. On Tuesday it released three updates, two for Windows and one for Office. The software maker also released a third version of an Internet Explorer fix after it botched the first two versions of the patch.
In recent months, word of new attacks has repeatedly followed shortly after "Patch Tuesday." Some experts believe the timing of the new attack is no coincidence, suggesting that attackers look to take advantage of a full month before Microsoft is scheduled to release its next bunch of fixes.