New Attack Compromises Fully-Patched IE Browsers

A new security hole in Internet Explorer exploit allows hackers to gain control of a user's computer when they click on a hyperlink, even while using a fully-patched version of IE6. An exploit using the technique, which employs a complex series of Javascript, VBScript and PHP code, has been published on the Web and is being discussed in several security mailing lists.

The attack splices together multiple weaknesses in Internet Explorer, including at least one known but unpatched flaw and several new ones. The scripting cocktail tricks the browser into running code from a remote web server as though it were a local help file, and can then install a trojan of the attacker's choice on the compromised system.

The exploit is launched when a user clicks on a malicious link in an e-mail or web page. Internet Explorer launches a pop-up window with an "iframe" tag, which is commonly used to display text or interactive features in a floating window. The code tricks the browser into thinking the iframe contains a help file from the user's hard drive, while downloading a javascript that can then run with local privileges. The javascript then launches a remote php file, which in turn downloads a trojan to the user's hard drive. A complete analysis of the exploit and how it works can be found here.

Some security professionals called the new hack an example of a "zero-day exploit," in which a working attack is published at the same time a vulnerability is discovered. The existence of a published exploit puts pressure on Microsoft to quickly come up with a patch for all IE users. Early reports suggest the key security holes may be patched in Windows XP Service Pack 2, which is now in beta.