IE6, IE7 hit by zero-day bug

A zero-day exploit that targets a vulnerability in Internet Explorer 6 and 7 has been published.

The exploit code, which was posted on the Buqtraq mailing-list on Friday, is not yet reliable, according to a Symantec blog post on Saturday. However, the security vendor warned in its post that it expected a fully functioning exploit in the wild "in the near future".

According to Vupen Security, the exploit targets a memory corruption error in Microsoft HTML viewer, which occurs when Internet Explorer retrieves certain cascading style sheet (CSS) objects. Vupen warned that this flaw could allow an attacker to crash the browser, or to trick a user into visiting a malicious web page.

At the time of writing, no patch was available for the issue. Vupen said that to mitigate the issue, people could disable Active Scripting.

Internet Explorer 6 is the most commonly used web browser, according to web analytics firm Net Applications. At the time of writing, IE6 had 23 percent of the market, while IE7 and IE8 each held 18 percent. Rival browser Firefox 3.5 had 14 percent, while Firefox 3 had nine percent. Overall, Internet Explorer had 65 percent market share, while Firefox had 24 percent.

Internet Explorer periodically suffers security vulnerabilities. For example, Microsoft released an out-of-band patch for IE at the beginning of the month to fix problems caused by a scheduled patch.