Patch/Configuration Management, Vulnerability Management

Exploit code released for patched Microsoft Internet Explorer flaw

Share

Hackers released exploit code on Monday for a patched Microsoft Internet Explorer (IE) flaw. The disclosure could be the catalyst for widespread attacks, according to researchers.

An unknown hacker released the exploit on the Milw0rm website on Monday — more than a month after Microsoft released a fix (MS07-009) for the flaw as part of its February Patch Tuesday distribution.

The vulnerability exists in ADODB.Connection ActiveX object and can cause memory corruption or remote attacks, according to an updated advisory from US-CERT.

The flaw can be exploited when handling the "Execute ()" method, according to a February advisory from Secunia.

Secunia created researcher Yag Kohha with reporting the flaw.

When Redmond released a patch for the IE flaw in February — during a 12-patch distribution for 20 flaws — the fix was largely overshadowed by a single patch that corrected a list of zero day exploits in Microsoft Office.

A Monday alert from Websense Security Labs credited H.D. Moore, who published a DoS demonstration, with the original exposure of the vulnerability during his Month of Browser Bugs in July.

Websense warned that the exploit could become prevalent in the malicious user community.

"This type of vulnerability has been very popular with malicious attacks in the past and we expect to see its usage increase substantially now that exploit code is publicly available," read the advisory.

A Websense spokeswoman referred requests for comment to the published alert because Websense researchers were not available for comment.

Click here to email Online Editor Frank Washkuch Jr.

Looking for a new job? SC Magazine is your source for the latest IT security employment opportunities. Visit our Jobs page.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.