Metasploit releases IE attack, but it's unreliable

The code is not as reliable as first thought

Robert McMillan (IDG News Service)
27 November, 2009 08:23
Comments

Developers of the open-source Metasploit penetration testing toolkit have released code that can compromise Microsoft's Internet Explorer browser, but the software is not as reliable as first thought.

The code exploits an Internet Explorer bug that was disclosed last Friday in a proof-of-concept attack posted to the Bugtraq mailing list.

That first code was unreliable, but security experts worried that someone would soon develop a better version that would be adopted by cyber-criminals.

The original attack used a "heap-spray" technique to exploit the vulnerability in IE. But for a while Wednesday, it looked as though the Metasploit team had released a more reliable exploit.

They used a different technique to exploit the flaw, one pioneered by researchers Alexander Sotirov and Marc Dowd, but Metasploit eventually pulled its code.

"The bug itself is unreliable," Metasploit developer HD Moore said in a Twitter message Wednesday.

The Metasploit code tried to exploit the flaw in two ways, one of which was "problematic," and the other of which was the heap-spray technique that had already been ineffective.

Microsoft said via e-mail Wednesday afternoon that it was "currently unaware of any attacks in the wild using the exploit code or of any customer impact."

That's good news for IE users, as a reliable attack would affect a lot of people. The two versions of the browser that are vulnerable to the flaw -- IE 6 and IE 7 -- are used by about 40 percent of Web surfers.

The company has issued a Security Advisory that offers workarounds to guard against the flaw.

According to Microsoft, the newer IE 8 browser is not affected by it.

The flaw lies in the way IE retrieves certain Cascading Style Sheet (CSS) objects, used to create a standardized layout on Web pages.

Concerned IE users can upgrade their browser or disable JavaScript to avoid an attack.

Come socialise with us! Facebook | LinkedIn

Bookmark this page
Share this article
- facebook
- slashdot
- digg
- Reddit
- stumbleupon
- linkedin
- twitter
Got more on this story? Email ARN
Follow ARN on twitter

More about: Microsoft

References show all

Comments

Post new comment

Share
Share this article
- google+
- facebook facebook
- slashdot slashdot
- digg digg
- Reddit Reddit
- stumbleupon stumbleupon
- linkedin linkedin
- twitter twitter
print
email
Bookmark

Related Coverage

Related Whitepapers

Latest Stories

Community Comments

"Yes, I agree the Samsung tablet is a good product with some ..."

REVIEW: Is the Samsung Galaxy Tab 10.1 the new king of Android tablets?
"Has anyone seen the new "Friend Project" social network site? It copies ..."

MySpace: The next hot social network?
"It should read as Australasian owned, not Australian owned."

Datacom joins AFP, Microsoft and ninemsn to support ThinkUKnow
"the new lenovo x130e 's r alright but they blocked eveything '"

Lenovo awarded NSW DET netbook contract
"Have you any idea just about any cheap�discount�hotels in Espoo, Finland?"

Telstra-NBN Co wholesale broadband agreement “imminent”

Tags: web browsers, security, metasploit, internet explorer, exploits and vulnerabilities

ARN Directory | Distributors relevant to this article

ASI Solutions , Bluechip Infotech , Compucon Computers , Dicker Data , Express Data , Express Online , Impact Systems Technology , Ingram Micro Australia , Leader Computers , Leading Pacific Australia , NewLease , Simms International (For Simms International please see Express Online) , Synnex Australia , Topstar Computer International , Westan , XiT Distribution , Xpress I.T.

Most Read

Get exclusive access to ARN's news, research and invitation only events.

Latest Jobs

Most Commented

ARN Distributor Directory

Find distributors by name | vendor | location

Channel Deals

Synnex

Lenovo February & March Hot Deal 2

More details »

ARN Vendor Directory

Find vendors by name | category

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Featured Whitepapers

Aberdeen Group: Building Business Resilience Through Active Archive

One of the key data management challenges organizations often face is how to keep their archived data accessible and active, without spending the time and resources associated with primary storage. The amount of data in the archives can range from one half to 10 times the amount of data actively managed in primary storage. How can end-users gain access to historical files in a reasonable amount of time without pulling IT employees from higher priority projects? Aberdeen's research found the answer in the technologies and processes that comprise active archiving.

Most Popular Whitepapers

HiveManager Online: Less Dollars, More Sense

Today’s de facto standard controller-based Wi-Fi infrastructure model is just too complicated, too expensive, and too unreliable. It’s common for enterprise and mid-market network operators alike to get caught in a crossroads of compromises involving costs, complexity, features, and reliability.

Popular tags: Business Management, Security, Storage, Data Centre, Master Data Management

Market Place