Exploit Surfaces for Unpatched IE Flaw

Microsoft acknowledged Friday that an exploit has surfaced in the wild to take advantage of a recently uncovered security vulnerability in Internet Explorer. The flaw puts IE users at risk of code execution simply by visiting a malicious Web site, and affects fully patched Windows XP SP2 systems.

A problem exists in how IE interprets the "createTextRange()" method used for radio button controls in HTML forms. From there, the flaw can be exploited to allow program flow to be redirected to the heap. When this occurs, the attacker can then exploit the vulnerability to execute code on an affected computer.

"Right now we're monitoring the attempts to exploit this vulnerability and we're working with our industry partners and law enforcement to remove the malicious Web sites using the vulnerability as they pop up," Microsoft's security response team said in a blog posting.

"I want to caution everyone that they should take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code." Microsoft is currently finalizing a patch to fix the problem, but the company's next scheduled Patch Tuesday is not until April 11.

As of Friday, security firm Sunbelt Software reported 19 Web sites attempting to exploit the new vulnerability. "Based on what we're seeing in the wild right now, we hope that Microsoft will patch this new IE exploit prior to April 11," said Sunbelt CEO Alex Eckelberry.

Microsoft says it is "actively keeping an eye on any attempts to utilize this in an attack" and will release the patch sooner if deemed necessary. "To be clear, and as our advisory states, the vulnerability affects currently supported versions of Windows 2000, Windows XP and Windows Server 2003."

The Windows Live Safety Center has been updated with the ability to remove the malicious backdoor software installed by the exploit, and third party antivirus vendors are expected to follow suit.