A new vulnerability in Microsoft’s Internet Explorer 7 browser has been disclosed and confirmed just hours after Microsoft’s huge patch day. Exploits are already available in Internet forums and Microsoft is apparently working on an out-of-band patch.
Microsoft released patches addressing 28 vulnerabilities in its software yesterday, but the company said that a critical vulnerability that popped up on the Internet earlier today remains unpatched.
All IE7 versions are potentially affected, but it appears that only browsers running under Windows XP and Windows Server 2003 are currently targeted by malware: The vulnerability in the browser enables an attacker to execute arbitrary code simply when a malicious website is visited. Security firm eEye said that “exploit code for this has been publicly released in public forums and exploitation has been seen in-the-wild.”
"Internet Explorer remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be across any site on the Internet," said Andre Protas, eEye's director of Research and Preview Services. "An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials."
Microsoft confirmed the vulnerability, but did not say when a patch may be available. However, the company is already working on a patch and is expected to release it when finalized.
Until then, users can protect their PCs by using third party tools such as eEye’s Blink software.