An "extremely critical" hole in Internet Explorer may ruin Christmas for Microsoft and thousands of its customers, IDG has learned.
The exploit can give system access to an intruder and allow them to install any code onto a host computer if that person simply visits a website with malicious coding on it. It bypasses security and could easily result in the release of sensitive information.
Microsoft has not been informed of the exploit and the details are now in the public domain, making the situation all the more risky. Security company Secunia.com found the exploit posted on a public mailing list by Chinese researcher, Liu Die Yu, and has given it a rating of 4 out of 5.
Secunia CTO, Thomas Kristensen, said that due to Microsoft's new policy of monthly security updates and patches, it may not be until January that exploit was dealt with.
"Microsoft tends to take its time to resolve an issue to release a solid patch," he said. "At the moment they will be working on patches for December so there may be nothing until January - unfortunately for users."
A Microsoft spokesperson said that if the company felt the exploit was critical, it would make an exception to the normal monthly patches. There is no word yet as to how seriously the company is taking the issue.
Meanwhile, Kristensen warns that one of the holes is very similar to that which was exploited by the extremely damaging Nimbda virus.
According to Secunia's advisory:
- A redirection feature can bypass Explorer security that stops files on a foreign website from being run.
- That hole means a malicious file can be downloaded and run on a user's system.
- A cross-site script hole could allow the same file to be run within a user's protected My Computer area, yielding sensitive information.
- A previously fixed vulnerability can still be exploited so limited control over the computer can be achieved.
- A user's cache can be assessed with an invalid header field.