An exploit for a new zero-day bug in Internet Explorer appeared Thursday, causing security companies to ring alarms and Microsoft to issue a security advisory that promised it would patch the problem.
Just a day after anti-virus vendors warned of a new zero-day vulnerability in Internet Explorer – the second such alert since Friday -- companies including Symantec and Secunia boosted security levels as news of a public exploit spread.
Although the publicly-posted exploit only launches a copy of the Windows calculator, "replacing the shellcode in this exploit would be trivial even for an unskilled attacker," Symantec continued.
Microsoft confirmed the severity of the bug and the success of the exploit in its own advisory, issued late Thursday.
"Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user," the Microsoft warning went.
Microsoft repeated a Wednesday promise to patch the bug, but still did not set a timetable. In rare cases, Microsoft has gone out-of-cycle to patch -- the most recent was early January -- but the company didn't promise that it would fix the flaw before the next scheduled date of April 11.
The published exploit could be used by attackers to add compromising code to malicious Web sites that would hijack PCs running IE 5.01, 6.0, and even the first iteration of IE 7 Beta 2 Preview.
Microsoft tried to downplay the danger by noting that users would have to be drawn to the malicious site, but that limitation has proved easy for hackers to hurdle. In December 2005, for instance, hundreds of sites compromised thousands of PCs using a different vulnerability to install spyware secretly in so-called "drive-by downloads."
Another attack angle, Microsoft said, could be Web advertisements. "It could also be possible to display specially crafted Web content by using banner advertisements," the advisory read.
Microsoft also said that the March edition of IE 7 Beta 2 Preview is immune to the bug.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.