Alarm bells over exploit for "extremely critical" IE flaw

Exploit code for a new flaw in Internet Explorer could put systems at risk of remote attack, security experts warned on Monday.

The exploit code, made public on Monday, aims to take advantage of the "extremely critical" vulnerabilities in IE 5.5 and IE 6 running on XP Service Pack 2 (SP2), and IE 6 running on Windows 2000 SP4, security researcher Secunia said in an advisory.

Once a PC user is tricked into visiting a malicious website, the exploit can be triggered automatically, without the user doing anything.

Thomas Kristensen, Secunia's chief technology officer, said: "An attacker could use the exploit to run any code they want to on a person's system. It could be they want to launch some really nasty code on a user's system."

The flaw lies in a JavaScript component of IE used for loading web pages onto a computer, according to an advisory from SANS Internet Storm Center.

Microsoft has not released a patch for the hole exploited by the code. People can attempt to work around the problem by either shutting off JavaScript or using another type of browser, security companies advised.

Security researchers said the IE vulnerability has been known for the past six months but had previously been seen as a conduit for denial of service attacks rather than the remote execution of code. DOS attacks, which attempt to crash a system by flooding it with data, are typically considered less severe security risks.

Johannes Ullrich, chief research officer for the Sans Institute, said: "The vulnerability itself has been known about for a while but it was only a problem for a denial of service attack that would sometimes cause IE to crash. Up until now, no one knew how to mark the code and find it in memory to execute a remote code attack."

The exploit code was published by an organisation called Computer Terrorism.

Because the flaw was initially believed to involve only a potential DOS attack, Microsoft never issued a patch for the problem, Ullrich said. He added it is not yet known whether Microsoft will spin out a patch for the flaw immediately or wait for its monthly patch cycle.

A Microsoft representative was not able to comment early on Monday on the flaw or the exploit but did say the company is investigating reports of the possible vulnerability for customers using Internet Explorer while running Windows 2000 SP4 and Windows XP SP2.

The representative said: "We have also been made aware of proof-of-concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time."

Microsoft, upon completion of its investigation, will take appropriate action to protect its customers by providing a patch as part of its monthly security bulletin program or in a separate security advisory, the representative added.

Dawn Kawamoto writes for CNET News.com