This Metasploit exploit is more intelligent and dangerous. It affects older versions of IE that have JavaScript enabled. The versions that are vulnerable are IE6 and IE7.
This exploit is for a very popular hacking technique called a drive-by attack. Victims are tricked into visiting Web sites that contain malicious code where they are then infected via the browser vulnerability. Criminals also place this type of code on hacked Web sites in order to spread their attacks.
“The Metasploit exploit that was released last night will be more reliable against certain attacks than the initial exploit,” said Ben Greenbaum, senior research manager with Symantec, in an interview Wednesday.
As of Wednesday morning, Symantec had not seen the exploit used in Internet-based attacks. You can count on cyber-criminals to utilize this exploit during the holiday online shopping season.
On Monday, Microsoft published a Security Advisory on the flaw, offering some workarounds for the issue.
Microsoft’s latest IE 8 browser is not affected by the bug, which has to do with the way that IE retrieves certain Cascading Style Sheet (CSS) objects, used to create a standardized layout on Web pages.
Concerned IE users can upgrade their browser or disable JavaScript in order to avoid an attack.
I highly recommend that you do not click on links in an email from anyone you do not know. If a link is shared on a social network, be careful before clicking on that link, you may be a victim of a drive-by attack.
Surf safe all!
Thanks for posting this important heads up. Although most bloggers may think that the IE users on the web have upgraded from IE6 AKA “the dog” and from IE7 to IE8, those of us who answer questions on support forums know the truth – many haven’t. Moreover, what we must do everyday is explain that leaving javascript enabled on their old IE browsers creates a huge security risk.
Best wishes to you and yours for a Happy Thanksgiving. :)
Timethief,
Thank you for the insight and I hope you had a wonderful Thanksgiving!
Great insight. Wonder why my employer has yet to upgrade from IE6…is this purely a budget issue or would there be other valid reasons I am missing. Regardless, thanks for the tip.
Jake,
My company is also behind. We still have IE6, but I only use FF.
Despite the availabilty of various browsers, I am still receving hits from people who came through my blog using this ‘IE’ 5.5+ so this is important for who still do so. Happy Late Thanksgiving, Frank :)
Hicham,
I can’t believe people are still using 5.5, wow! Oh well, may end badly. :)