It seemed like it would be a quiet aftermath to a light Patch Tuesday. But although Microsoft only included two patches in its monthly security update, the warning of a flaw in the Internet Explorer browser stole the show.
That’s thanks to a security researcher who released a working model of how to exploit the IE zero-day flaw on Metasploit, prompting Microsoft to open an investigation, though there is no word on when a patch will be forthcoming. eSecurity Planet has the story.
It didn’t take long for a bug sleuth to take hints he found online about a security hole that Microsoft warned users about on Tuesday and turn them into a pre-built attack module ready for widespread use.
Microsoft (NASDAQ: MSFT) published a Security Advisory as part of this week’s Patch Tuesday bug patch event, warning users that a zero-day vulnerability recently discovered in Internet Explorer 6 (IE6) and IE7 could leave them open to a complete compromise of their systems.
At that time, Microsoft officials acknowledged that they were aware of “limited, targeted attacks” in the wild.
By late Wednesday, however, a hacker who goes by the screen name Trancer had figured out the finer points of the attack and created a Metasploit module that will make the job trivial for someone with more malicious intent to create a serious infestation.