Microsoft Internet Explorer vulnerable to code execution via scripting “window()” object

US-CERT VU#887861

Microsoft Internet Explorer does not properly handle requests to the window() object. When an HTML document references the window() object in a specially crafted manner, Internet Explorer can crash in a way that allows an attacker to execute arbitrary shell code.

Note: Proof of concept code is publicly available.

Be careful when you click a link; otherwise, you may be owned. This is a very critical vulnerability of IE. PoC is already available, and so is the shell code. Infocon has been turned into yellow for about a day due to this.

At the same time, exploiting this flaw seems to be way too simple. Address is already published, and a code injection vector can be put quite simply.

Similar Posts:

Post a Comment

Your email is never published nor shared.