Microsoft confirms IE6, IE7 zero-day bug
By Gregg Keizer
November 23, 2009 04:03 PM ET
Computerworld - Microsoft today confirmed that exploit code published last week can compromise PCs running older versions of Internet Explorer (IE), but said its security team has not yet seen any in-the-wild attacks.
The attack code, which was posted Friday to the Bugtraq security mailing list
, affects both Internet Explorer 6 (IE6) and the newer IE7, Microsoft acknowledged. "Microsoft can confirm that the publicly available exploit code affects IE6 and IE7, not IE8," a company spokesman said in an e-mail reply to questions today.
IE6 and IE7 account for more than 41% of all browsers used worldwide, according to the most recent data
from metrics firm Net Applications. IE8, meanwhile, has an 18.1% market share. Over the weekend
, Symantec researchers took note of the exploit code, but said that it was shaky. "The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future," the security company's analysis team said in an entry on a company blog
According to Danish vulnerability tracking vendor Secunia, the flaw is in IE's layout parser
, and could be exploited by hackers to hijack fully-patched Windows XP Service Pack 3 (SP3) machines. Secunia rated the vulnerability as "highly critical," its second-highest threat ranking.