Unpatched Flaw in IE Bypasses Key Windows Security Features

An exploit exploiting an unpatched vulnerability in Internet Explorer (IE) has gone public. Security researcher Shahin Ramezany announced in a Tuesday tweet that he successfully exploited the flaw, which involves how IE handles CSS style sheets on Windows 7 and Vista machines. Offensive Security, a provider of security tools and training, posted a video demonstrating the code execution on Monday.

On Wednesday, the exploit code was added to the open-source Metasploit hacking toolkit. This flaw can bypass two built-in Windows security features: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), according to Ramezany. Microsoft has not yet confirmed the vulnerability.

“We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” said Dave Forstrom, director of trustworthy computing at Microsoft, in an email to SCMagazineUS.com on Wednesday. “Once we’re done investigating, we will take appropriate action to help protect customers.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.