New Internet Explorer Vulnerability Found

A new Internet Explorer (IE) security vulnerability has been found. The flaw, which is related to Internet Explorer's HTML engine, allows hackers to infiltrate systems running Windows XP, Vista and Windows 7.

The issue was first discovered early in December by French security company Vupen . The company says this flaw could be exploited with the processing of a CSS (or Cascading Style Sheets) file intended for use by web designers.

Rigged Website Key to Attack

Those running Internet Explorer could find themselves under attack if they're (knowingly or unknowingly) directed to a specially-crafted web site. Hackers would then exploit the vulnerability to plant malware on a PC, which would be used for harvesting sensitive information, such as credit card data, and passwords.

Vupen issued a security advisory back on December 9th, 2010. The company confirmed then that the flaw could be found in Internet Explorer 8 (IE8) in all three of Microsoft's operating systems. (Source: threatpost.com)

Poisoned Code Released to Testers

Security firm Vupen has crafted an exploit for the flaw and released the attack code to its own customers, for the purpose of testing and addressing the issue.

Perhaps the biggest surprise with this recent vulnerability is that it affects Internet Explorer 8, and even Windows 7. It's said that if the flaw is successfully exploited, it can bypass Window 7's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) defenses.

No Fix Currently Available

Microsoft Trustworthy Computing Group director Dave Forstrom says his company is currently looking into the issue, but says no fix is yet available.

"Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer," Forstrom said.

According to Forstrom, there haven't been any attacks using the flaw yet. That said, with the holidays literally upon us, you can bet that hackers will look to exploit and cash-in on the flaw as quickly as possible. (Source: computerworld.com)

Microsoft issued a security advisory (#2488013) about the issue and the bug has been publically acknowledged in their technet blog. (Source: technet.com)