Exploit code released for unpatched IE 7 vulnerabilityJuly 1, 2008 – 6:22 AM
Another day, another gaping hole affecting fully patched versions of Microsoft’s Internet Explorer browser.
According to a warning from US-CERT, proof-of-concept exploit code has been published for a new zero-day bug that can be used for a variety of malicious attacks against Windows users running IE 6, IE 7, and IE 8 beta 1.
The code, published here by ’sirdarckat’, shows how the vulnerability can be exploited to hijack an iFrame in a legitimate site and capture a target’s keystrokes. This occurs because Internet Explorer fails to properly restrict access to a document’s frames, allowing an attacker to modify the contents of frames in a different domain.