Passion is like genius; a miracle.

Blog on Software, Statistics, and Quant

Microsoft Internet Explorer vulnerable to code execution via scripting “window()” object


US-CERT VU#887861

Microsoft Internet Explorer does not properly handle requests to the window() object. When an HTML document references the window() object in a specially crafted manner, Internet Explorer can crash in a way that allows an attacker to execute arbitrary shell code.

Note: Proof of concept code is publicly available.

Be careful when you click a link; otherwise, you may be owned. This is a very critical vulnerability of IE. PoC is already available, and so is the shell code. Infocon has been turned into yellow for about a day due to this.

At the same time, exploiting this flaw seems to be way too simple. Address is already published, and a code injection vector can be put quite simply.


Leave a Reply

Your email address will not be published. Required fields are marked *