An Israeli security researcher has published exploit code for an unpatched hole in Internet Explorer that Microsoft disclosed two days ago, using clues from a McAfee report on the hole.
Microsoft had warned in an advisory that a new vulnerability in IE6 and IE7, which could allow an attacker to take control of a computer, had been targeted in attacks.
Releasing the exploit code publicly increases the chances of attacks on the zero-day hole and could pressure Microsoft to issue a patch before its next scheduled Patch Tuesday in four weeks.
Researcher Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit database.
He was able to create the exploit code after figuring out where an existing exploit was in the wild, based on information in a McAfee blog post, he told Ryan Naraine of the Zero Day blog at ZDNet.com.au sister site ZDNet.com. It took him about 10 minutes to de-obfuscate the exploit and pinpoint the vulnerability, he said.
Ben Abu said that he would have found the original exploit code sooner or later without McAfee's help.
Asked how serious the zero-day hole is, he wrote in an email: "The exploit covers Internet Explorer versions 6 and 7, which are not the latest version [IE8] but many users still use it. In addition, the exploit is quite unstable, with about 60 per cent to 70 per cent success rate. So I guess it is critical, but not for users who update their Windows with the latest IE."
Microsoft's advisory on the vulnerability includes information on workarounds but suggests that IE6 and IE7 users upgrade to IE8 immediately.
McAfee said it would be more careful about the details provided in its blog posts in the future.
"McAfee Labs does not support the release of exploit code, particularly in advance of a security patch being made available. We regularly sanitise blog content to prevent providing information that might assist attackers, while at the same time providing a service to customers and the security community to help improve protection levels," it said in a statement via email.
"The post in question did not contain enough information to directly lead anyone to exploit code. However, we regret that in this unique situation the post did contain details that may have given exploit writers a starting point to hunt for exploit code. Future blog posts will be subject to additional sanitisation."
Via CNET