December 22, 2010, 8:37 AM — Security researchers have released attack code that exploits an unpatched bug in Microsoft's Internet Explorer (IE) and sidesteps defenses baked into Windows 7.
Microsoft said it was looking into the vulnerability.
"Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer," said Dave Forstrom, the director of Microsoft's Trustworthy Computing group, in statement. "We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."
The bug first surfaced earlier this month when French security firm Vupen announced it had uncovered a flaw in IE's HTML engine that could be exploited when the browser processed a CSS (Cascading Style Sheets) file that included "@import" rules. The @import rules let Web designers add external style sheets to an existing HTML document.
Vupen issued a bare-bones advisory on Dec. 9 that confirmed the vulnerability in IE8 running on Windows XP, Vista and Windows 7, and in IE6 and IE7 on XP. Attackers could trigger the bug from a rigged Web page, then hijack the PCs to plant malware or pillage its secrets.
Although Vupen crafted an exploit, it released the attack code only to its own customers for penetration testing purposes.
Others pushed the IE bug into public view Tuesday. Abysssec Security Research posted a short video demo of an attack in action, and security researcher Joshua Drake added a working exploit to the Metasploit penetration testing kit.
Drake credited a Chinese security blog for revealing the vulnerability last month.
Unlike some other recent IE bugs , this one can be exploited on the newest browser, IE8, running on Microsoft's newest OS, Windows 7, by defeating the latter's DEP (data execution prevention) and ASLR (address space layout randomization) anti-exploit defenses.
According to HD Moore, the chief security at Rapid7 and the creator of Metasploit, Drake's code works reliably against IE8 on Windows 7, but is slightly less dependable when aimed at IE on Windows XP.
The exploit is notable for the way it circumvents DEP and ASLR, Moore said. It relies on a flaw in Windows that lets hackers force the operating system to load outdated .Net DLLs (dynamic-link libraries) that do not have ASLR enabled.