News
Exploit Code Discovered for Unpatched IE Flaw
This week security researchers announced that exploit code taking advantage
of an unpatched IE flaw has been published on the Web.
The code capitalizes on an IE error when encountering radio buttons using the
"createTextRange()" method, allowing hackers to attack the visiting
machine.
Microsoft issued a security
advisory regarding the exploit Thursday.
"This vulnerability could allow an attacker to execute arbitrary code
on the user's system in the security context of the logged-on user," a
company spokesperson said. "Microsoft has determined that an attacker who
exploits this vulnerability would have no way to force users to visit a malicious
Web site… Instead, an attacker would have to persuade them to visit the
Web site."
The advisory states that Redmond will decide soon whether to release a patch
as part of its regular monthly schedule or provide an "out-of-cycle"
security update.
Russ Cooper, director of risk intelligence publishing for the security firm
Cybertust, said he doesn't think the exploit will warrant an out-of-cycle patch.
"What we have to look at is not the flaw and not the exploit code, but
the actual risk to the user of being exploited by it," he commented. "The
simple fact is that [these kinds of] exploits are not being abused in a way
that affects a large group of people."
While many security research firms have rated the flaw "critical,"
Cooper countered that hackers' reliance on phishing e-mails for these types
of attacks makes widespread infection extremely unlikely.
"People receive these e-mails multiple times a day, every day," he
explained. "You're either duped by every one of them, or you don't
go there."
"What security managers need to think about is whether [their] people
are likely to stumble into the hole of these malicious sites. If they are, they've
probably been infected already."
Cooper did say that a widespread outbreak could occur if hackers defaced popular
Web sites with the code, but, historically, that scenario is extremely rare.
About the Author
Becky Nagel is the vice president of Web & Digital Strategy for 1105's Converge360 Group, where she oversees the front-end Web team and deals with all aspects of digital projects at the company, including launching and running the group's popular virtual summit and Coffee talk series . She an experienced tech journalist (20 years), and before her current position, was the editorial director of the group's sites. A few years ago she gave a talk at a leading technical publishers conference about how changes in Web browser technology would impact online advertising for publishers. Follow her on twitter @beckynagel.