RealTime IT News

Unpatched IE Flaw Now Exploitable

Proof of Concept (PoC) code has now been publicly released for a flaw, which Secunia rated "extremely critical." It is potentially leaving untold millions of Microsoft Internet Explorer users at risk.

The Microsoft Internet Explorer JavaScript window() DoS vulnerability was originally reported at the end of May.

The flaw could potentially allow a malicious remote user to trigger a DoS by way of a JavaScript onload event that calls the window function.

"Contrary to popular beliefs, the aforementioned security issue is susceptible to remote, arbitrary code execution, yielding full system access with the privileges of the underlying user," according to security firm, Computer Terrorism.

To back up its point and ultimately put millions of users at risk of attack, Computer Terrorism has posted proof of concept code that demonstrates how easy it is to compromise a fully patched IE user's PC.

Johannes Ullrich of the SANS Internet Storm Center (ISC) noted that the flaw allows for arbitrary executables to be executed without user interaction.

Computer Terrorism's PoC demo will launch a calculator (calc.exe), though Ullrich commented that there is also a version that will allow a user to open a remote shell.

As a result of the publicly available PoC, security news aggregator Secunia has upped its assessment of the flaw to extremely critical, its highest security warning level.

IE users are being advised to disable JavaScript on non-trusted sites until a patch is released.

A Microsoft spokesperson confirmed that the company is aware of new public reports of a possible vulnerability in IE for customers running Windows 2000 SP4 and Windows XP SP2.

According to the spokesperson, customers running Windows Server 2003 and Windows Server 2003 SP1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected.

"We have also been made aware of proof of concept code that could seek to exploit the reported vulnerability, but are not aware of any customer impact at this time," the spokesperson said. "But Microsoft will continue investigating these public reports."

Once the investigation is completed, the spokesperson said that Microsoft will take the appropriate action to protect its customers, which may include providing a fix through its monthly release process or issuing a security advisory, depending on customer needs.