Exploit Code Posted for Unpatched IE Flaw

Microsoft is warning customers that exploit code is in the public domain for an unpatched vulnerability in Internet Explorer that can allow an attacker to take control of a user's computer over the Internet.

Microsoft issued a security advisory about the vulnerability on Monday and updated the advisory Tuesday.

The flaw affects some of Microsoft's most secure platforms, including Internet Explorer on Windows XP Service Pack 2, as well as IE on Windows 98, Windows 98 Second Edition, Windows ME, Windows 2000 SP4 and Windows XP SP1. Windows Server 2003 running IE under Enhanced Security Configuration is not affected.

Microsoft has known about the technical issue that underlies the flaw for some time, but the company contends it was only recently made aware of the security implications of the problem. "This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible," Microsoft's advisory reads.

The flaw arises from the way IE handles mismatched document object model objects, according to the bulletin. An attacker would have to lure a user to a maliciously crafted Web site to exploit the bulletin.

Microsoft says it has received no evidence that the exploit code has been used to compromise customers yet. The company is working on a fix for the problem that will ship in a future security bulletin.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Using Metadata To Make Non-Text Data Easier To Find

    Content indexing works well for finding files that contain text, but it's no help when searching for non-text data. Brien's workaround is to take advantage of Windows 10's file metadata feature.

  • Microsoft Previews Windows Autopilot for HoloLens 2

    Microsoft on Friday announced a public preview of Windows Autopilot for HoloLens 2, its mixed-reality headset.

  • Microsoft Flirts with Charging for API Software Connections

    Microsoft may have started something new by attempting to charge its customers for software that uses its application programming interfaces (APIs).

  • Overcoming Spacesuit Anxiety During Astronaut Training

    Spacesuits are heavy, claustrophobic and hot -- an uncomfortable combination for many would-be astronauts. Here's how Brien came around to the idea of wearing one.

comments powered by Disqus