Symantec Corp. is warning of a new publicly available exploit code targeting an unpatched display vulnerability in Internet Explorer (IE) that could enable hackers to conduct drive-by attacks and spread malware on unsuspecting victim machines.
"The exploit currently exhibits signs of poor reliability, but we expect that a fully functional a
Cupertino, Calif.-based Symantec said the IE zero-day exploit code appeared Friday on the Bugtraq mailing list. Symantec and several other security vendors are providing antivirus and IPS signatures to protect against the attack.
IT security research and alert vendor VUPEN Security also reported the vulnerability on Saturday, saying the flaw is a dangling pointer in the Microsoft HTML Viewer (mshtml.dll).
Danish vulnerability clearinghouse Secunia gave the IE zero-day flaw a highly critical rating in an alert issued today. Secunia confirmed the vulnerability in IE6 on Windows XP SP2 and IE7 on Windows XP SP3A.
Microsoft has not yet acknowledged the vulnerabilities. The software giant patched a serious Windows kernel flaw earlier this month, fixing a vulnerability that enabled attackers to set up a malicious website and target users of Internet Explorer using embedded OpenType font.