Internet Explorer Pwned
Microsoft’s world has been shaken up recently by a new remote command execution exploit for its premier web browser, Internet Explorer.
Quoting a timeline from eEye’s research on this vulnerability makes it this story more interesting:
“11/15/2008 In-The-Wild Exploitation Witnessed By 3rd Party
12/9/2008 Reliable Exploit Code Identified by eEye Research”
The problem is in the code processing XML in Internet Explorer. An attacker can exploit a buffer overflow to execute their own code on the client just by visiting a malicious web page.There are already full exploits for Windows XP and Windows Vista. Apprently, this has been exploited in the wild for some time now. Its too bad that the original bug discoverer didn’t sell his/her code, they probably would have gotten a small fortune (I am talking about totally legitimate agencies, of course).
Also, according to Muts’ Blog, this vulnerability still isn’t patched (Vista updated with latest patches — stated on the blog). Oh Microsoft, we know your good with your Patch Tuesdays and all that stuff, but couldn’t you break down and hand out some emergency patches soon? I mean, should ~50% of the world get owned just in time for Christmas!?
But rapid reader, I bring good news too! Firefox users shouldn’t have a thing to worry about =)