While Microsoft has yet to issue a permanent patch for a known exploit, the code could become widely available to cybercriminals after being integrated into an open-source testing tool.
October 1, 2013 8:09 PM PDT
This screenshot shows a successful attack against Windows 7 running IE 9.
Attack code that exploits an unpatched vulnerability found in all supported versions of Internet Explorer has been released into the wild.
This means that cyberattacks could now surge and affect Internet Explorer users.
Known as CVE-2013-3893, the exploit was integrated Monday into Rapid7’s open-source Metasploit penetration testing tool. By putting the exploit into Metasploit, the attack code was made accessible not only to security professionals but also cybercriminals, according to PCWorld.
ExploitShield becomes Malwarebytes Anti-Exploit
Google plans to wipe child p**n from the Web
Google push for faster zero day fixes hits a wall: Other companies
As Schmidt speaks of caution, Google Glass gets hacked
Oracle issues emergency Java update to patch vulnerabilities
“As long as cybercriminals get access to the exploit code made publicly available we will see instances of the exploit being use by regular cybercriminals and probably we will find the exploit in some of the most famous Exploit Kits,” security firm AlienVault’s research team manager Jaime Blasco told PCWorld. “I’m sure if Metasploit includes this exploit we will see an increase on widespread exploitation.”
The exploit has apparently been on the loose for the last three months, but the majority of the attacks have targeted organizations in Japan and Taiwan, according to PCWorld.
The integration of the CVE-2013-3893 into Metasploit could mean more widespread attacks.
Microsoft has not yet released a permanent patch for this exploit. It announced the CVE-2013-3893 flaw and released a downloadable <a href=”http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=https%3A%2F%2Fsupport.microsoft.com%2Fkb%2F2887505%22%3E”Fix It” tool in mid-September. Microsoft is expected to issue a new batch of security updates on October 8, but it’s not yet clear if it will include a permanent patch for CVE-2013-3893.