Exploit Code Posted for Unpatched IE Flaw

Microsoft is warning customers that exploit code is in the public domain for an unpatched vulnerability in Internet Explorer that can allow an attacker to take control of a user's computer over the Internet.

Microsoft issued a security advisory about the vulnerability on Monday and updated the advisory Tuesday.

The flaw affects some of Microsoft's most secure platforms, including Internet Explorer on Windows XP Service Pack 2, as well as IE on Windows 98, Windows 98 Second Edition, Windows ME, Windows 2000 SP4 and Windows XP SP1. Windows Server 2003 running IE under Enhanced Security Configuration is not affected.

Microsoft has known about the technical issue that underlies the flaw for some time, but the company contends it was only recently made aware of the security implications of the problem. "This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible," Microsoft's advisory reads.

The flaw arises from the way IE handles mismatched document object model objects, according to the bulletin. An attacker would have to lure a user to a maliciously crafted Web site to exploit the bulletin.

Microsoft says it has received no evidence that the exploit code has been used to compromise customers yet. The company is working on a fix for the problem that will ship in a future security bulletin.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.