Critical Internet Explorer exploit code released in the wildOctober 1, 2013 – 7:42 PM
Attack code that exploits a critical vulnerability in all supported versions of Microsoft’s Internet Explorer browser has been publicly released.
Monday’s release of a module for the Metasploit exploit framework used by security professionals and hackers could broaden the base of attackers who are capable of targeting the flaw. Until now, the bug has been known to be exploited in only a handful of highly targeted attacks aimed mostly at workers in Japanese government agencies and manufacturers. While the attack code has been available to anyone who knows where to find it, its inclusion in the open-source Metasploit could make it easier for some people to use.
Microsoft issued a temporary fix for the browser two weeks ago. The company, which is scheduled to release its next batch of security updates on October 8, hasn’t said when it will issue a permanent patch.
One of the groups carrying out the attacks is the same one that installed malware on computers belonging to security firm Bit9. The group has planted exploits on compromised websites known to be frequented by government and manufacturing employees. The exploits are used to remotely execute code that installs rootkit-style malware that’s used to download sensitive data from the infected machines. While the exploits target versions 8 and 9 of IE running on Windows XP and Windows 7 respectively, the “use after free” vulnerability is present in IE versions 10 and 11 as well, Microsoft has said.
Out of an abundance of caution, Windows users should be sure to install the temporary fix it regardless of the browser they regularly use.