14 DAY TRIAL // Exploit code for an unpatched remote code execution vulnerability in Internet Explorer has been added to the popular Metasploit open source penetration testing framework.
The flaw was originally reported as a denial of service condition on the Full Disclosure mailing list on December 8.
However, vulnerability research companies like Secunia and VUPEN Security warned that it could also be exploited to execute arbitrary code.
"This issue is caused by a use-after-free error within the "mshtml.dll" library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various '@import' rule," VUPEN explains.
Microsoft has confirmed in a newly published advisory that Internet Explorer 6, 7 and 8, running on all supported Windows versions, are affected.
It does point out, however, that the Protected Mode enabled by default on Windows Vista and 7 restricts the vulnerability's impact on those systems.
Yesterday, a group called Abysssec Security Research, announced a reliable exploit for the flaw, which also completely bypasses the DEP and ASLR arbitrary code execution prevention mechanisms.
The exploit has been added to Metasploit and since the framework is open source, anyone can potentially grab it and use it to launch drive-by download attacks.
In such attacks victims are silently infected with malware only by visiting a maliciously crafted Web page on a compromised legitimate website.
"This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR," a description of the Metasploit module reads.
The vulnerability was disclosed days before this month's Patch Tuesday, when Microsoft fixed another IE 0day exploited in the wild for almost six weeks.
If no widespread attacks exploiting this new flaw (CVE-2010-3971) will appear, Microsoft will most likely wait until January 10 to patch it.