Exploit code for a critical (remotely exploitable) vulnerability in Microsoft's Internet Explorer 7 browser has been released on the Internet, prompting a new round "upgrade now!" warnings from computer security experts.
The vulnerability could be used in malware attacks to take complete control of a Windows machine running IE 6 or IE 7, according to an advisory issued over the weekend.
Here's the gist of the problem:
A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.
The vulnerability was confirmed on fully patched Windows XP SP3 systems with Internet Explorer 6 and 6.
For IE users unable (or unwilling) to upgrade to IE 8, you can disable Active Scripting in the Internet and Local intranet security zones.
Microsoft has not yet issued an advisory with mitigation guidance.