News

Exploit Code Discovered for Unpatched IE Flaw

This week security researchers announced that exploit code taking advantage of an unpatched IE flaw has been published on the Web.

The code capitalizes on an IE error when encountering radio buttons using the "createTextRange()" method, allowing hackers to attack the visiting machine.

Microsoft issued a security advisory regarding the exploit Thursday.

"This vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user," a company spokesperson said. "Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site… Instead, an attacker would have to persuade them to visit the Web site."

The advisory states that Redmond will decide soon whether to release a patch as part of its regular monthly schedule or provide an "out-of-cycle" security update.

Russ Cooper, director of risk intelligence publishing for the security firm Cybertust, said he doesn't think the exploit will warrant an out-of-cycle patch.

"What we have to look at is not the flaw and not the exploit code, but the actual risk to the user of being exploited by it," he commented. "The simple fact is that [these kinds of] exploits are not being abused in a way that affects a large group of people."

While many security research firms have rated the flaw "critical," Cooper countered that hackers' reliance on phishing e-mails for these types of attacks makes widespread infection extremely unlikely.

"People receive these e-mails multiple times a day, every day," he explained. "You're either duped by every one of them, or you don't go there."

"What security managers need to think about is whether [their] people are likely to stumble into the hole of these malicious sites. If they are, they've probably been infected already."

Cooper did say that a widespread outbreak could occur if hackers defaced popular Web sites with the code, but, historically, that scenario is extremely rare.

About the Author

Becky Nagel serves as vice president of AI for 1105 Media specializing in developing media, events and training for companies around AI and generative AI technology. She also regularly writes and reports on AI news, and is the founding editor of PureAI.com. She's the author of "ChatGPT Prompt 101 Guide for Business Users" and other popular AI resources with a real-world business perspective. She regularly speaks, writes and develops content around AI, generative AI and other business tech. She has a background in Web technology and B2B enterprise technology journalism.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.