Chinese experts mistakenly release IE7 exploit

[InfoSec News <alerts () infosecnews org>]

http://www.techworld.com/security/news/index.cfm?newsID=108274

By Jeremy Kirk
IDG news service
11 December 2008

The security woes continued for Microsoft after Chinese security 
researchers mistakenly released the code needed to hack a PC by 
exploiting an unpatched vulnerability in Internet Explorer 7.

At one point, the code was traded for as much as $15,000 (£10,000) on 
the underground criminal markets, according to iDefense, the computer 
security branch of VeriSign, citing a blog post from the Chinese team.

The problem in Internet Explorer 7 means a computer could be infected 
with malicious software merely by visiting a website, one of the most 
dangerous computer security scenarios. It affects computers running IE7 
on Windows XP, regardless of the service pack version, Windows Server 
2003 running Service Pack 1 or 2, Windows Vista and Windows Vista with 
Service Pack 1 as well as Windows Server 2008.

Microsoft has acknowledged the issue but not indicated when it will 
release a patch.

The vulnerability was first revealed earlier this week by the Chinese 
security team "knownsec." Knownsec said on Tuesday they mistakenly 
released exploit code thinking that the problem was already patched, 
iDefense said.

"This is our mistake," knownsec said in a Chinese-language research 
note.

[...]

_______________________________________________      
Help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html