Zero-Day Exploit a Threat to IE6 & 7 Browsers?

Microsoft acknowledged Monday that it is evaluating an apparent zero-day bug in older versions of Internet Explorer, after an anonymous hacker posted proof-of-concept code online to exploit the hole.

The exploit for the bug in Microsoft’s (NASDAQ: MSFT) IE6 and IE7 browsers was posted on Symantec’s BugTraq bug database over the weekend, according to a Symantec (NASDAQ: SYMC) spokesperson.

“Symantec Security Response has confirmed that the exploit affects both IE6 and 7 on Windows XP and Vista platforms, but there are possibilities that other versions of IE and Windows may also be affected,” the spokesperson said in an e-mailed statement.

It’s not the first time that hackers have revealed zero-day flaws in Windows or Internet Explorer before Microsoft had a chance to patch them — nor is it likely to be the last. Microsoft recently finished — it hopes — patching a zero-day bug hackers found in a key Windows networking protocol called System Message Block or SMB.

The new Windows 7 even had its first zero-day vulnerability earlier this month, again a case of a hole in SMB. Microsoft has said it is in the process of evaluating that bug, and the proof of concept code that hacker posted, but hasn’t come out with a patch yet.

While a zero-day vulnerability in Windows 7 is serious, however, a zero-day hole that can be used to attack IE6 and 7 could be much more devastating — if and when hackers decide to build a working exploit, given how many users still favor those two versions of Microsoft’s browser.

This latest exploit, however, does not take advantage of weaknesses in SMB.

“The exploit targets a vulnerability in the way IE uses the Cascading Style Sheets (CSS) information. CSS is used in many Web pages to define the presentation of the site’s content,” the Symantec statement said.

How serious a threat is this zero day exploit?

A Microsoft spokesperson said that it is examining the bug and the exploit code but, again, has not come to a conclusion yet as to how dire the need for an immediate fix might be.

“We’re aware that detailed exploit code was published on the Internet for the vulnerability, but we’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” the spokesperson said.

How dangerous the latest zero-day hole may be is still a matter of debate.

“The exploit in its current form exhibits inconsistent behavior in tests conducted by the [Symantec Security] Response team, however a fully-functional exploit can be expected to follow,” the Symantec spokesperson said.

However, even Symantec agrees that for an attacker to successfully exploit the hole, it is necessary to trick a potential victim to visit either a malicious Web page or a Web site that has been compromised. Additionally, a successful exploit requires that JavaScript be enabled in order to take over Internet Explorer.

News Around the Web