Microsoft Admits To Zero-Day Flaw In IE 6 And 7

Microsoft has confirmed the existence of a zero-day bug in Internet Explorer 6 and 7.

Proof-of-concept attack code for the flaw was posted on 20 November to the Bugtraq mailing list. The flaw is tied to the way IE uses CSS (Cascading Style Sheets) information.

According to Microsoft, the company is looking into how to best address the matter.

“We’re aware that detailed exploit code was published on the internet for the vulnerability, but we’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” a Microsoft spokesperson said on 23 November. “Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.”

An analysis by Vupen Security found the vulnerability is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method. If it is exploited successfully, attackers could crash the browser or execute arbitrary code by tricking a user into visiting a malicious web page.

As a solution, Vupen recommends users disable active scripting in the internet and local intranet security zones. If Microsoft decides to issue a patch for the vulnerability, it may come on 8 December as part of the Patch Tuesday security fixes.