A well known vulnerability exploit that can be used to compromise Internet Explorer versions 6, 7 and 8 has been added to the Eleonore attack kit, heightening the chances that more exploits will occur in the wild, according to a security researcher.
Roger Thompson, chief research officer, AVG wrote on his blog on Sunday that "we've begun detecting [the exploit] in the Eleonore Exploit Kit. This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day".
The weakness — which is already being exploited in the wild — can allow attackers to remotely execute code without a user's knowledge. Exposure to the exploit usually takes place by tricking a user into visiting a website containing malicious code. A drive-by attack then takes place, in which the attacker executes code on the target machine.
Microsoft acknowledged the existence of the weakness on 3 November. "It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution," said the company in a security advisory.
The advisory also notes that, if required, Microsoft will consider issuing an out-of-cycle security update, or providing a fix through its regular "patch Tuesday" monthly update.
However, according to Thompson, Microsoft may be forced to issue an unplanned fix.
"What this means to Microsoft, is that they should consider issuing an out-of-band patch. What this means to you, if you're a non-geek, is that until Microsoft releases said patch, you should install something that's pretty good at detecting and blocking web-based attacks."
Microsoft has issued mitigation techniques to help protect users until a patch is issued. Workarounds include enabling Data Execution Prevention (DEP) for Internet Explorer 6, 7, and 8. Internet Explorer 8 ships with DEP enabled by default. Microsoft has also provided instructions on using user-defined CSS which would also temporarily remove the threat.