Internet Explorer users have been told to ditch the application and switch to another browser, pronto.
The warning comes from Rapid7, which describes a hole that’s exploitable by visiting a malicious Website (and, of course, in the world of Twitter and shortened URLs, it’s so much easier to get users to visit such sites).
Visiting a malicious site gives the attacker the same privileges as the current user, according to Rapid7’s post, here. Although the published exploit targets XP, Rapid7 says the attack works on IE 7 through 9 running on XP, Vista and Windows 7.
The discoverer of the exploit, Eric Romang, says the zero-day drops a file, Exploit.html, on the target. This, in turn, creates files with img and swf suffixes, which IE treats as Flash.
Romang claims the exploit was created by the same group – Nitro – that recently released a Java zero-day into the wild.
Rapid7’s HD Moore, also chief architect of Metasploit, told Ars that he’s surprised to see the exploit work across Windows Vista and 7: “This is one of the few times that a vulnerability has been successfully exploited across all the production shipping versions of the browser and OS”, he said. The attack bypasses ASLR – address space layout randomization – that’s meant to help defend the newer operating systems against attack.
Microsoft is looking at the exploit now, and has stated that it will “take the necessary steps” once it has a fix ready. ®