Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Posted For New IE Exploit

Posted by ryuzaki0 on from the not-quite-zero-day dept.

PC World is reporting that two days ago hackers posted code for a new vulnerability in Internet Explorer that could allow drive-by takeover of a vulnerable PC. Security companies say that no exploits using the "daxctle" vulnerability have yet been found in the wild, but they are taking the new threat seriously. Symantec calls the bug "critical" and Secunia rates it highly critical, the most severe rating. The hackers who posted the sample code, xsec.org, refer to it as a "0day" exploit. The article quotes another security expert who calls this label "a stretch." Update: 09/17 18:00 GMT by C :Fixed link to XSec. Thanks for pointing that one out, folks.

2 of 123 comments (clear)

  1. Wrong Link in Subject by Anonymous Coward · · Score: 5, Informative

    That's xsec.org not xsec.com

  2. Re:Since /.'s already turned into bugtraq... by elronxenu · · Score: 3, Informative
    Perhaps because the first bug you mentioned was posted 4 months ago, you can resolve it by upgrading your kernel, and almost nobody would run an application chrooted under an SMBFS network filesystem anyway.

    The second bug is only a DOS, it won't give an attacker sweet r00t permissions. And it's also 4 months old news.

    The third bug doesn't result in any privilege escalation because the kextload program isn't setuid, you'd need to find some other vulnerability in a program which uses kextload.

    And the fourth bug is a month old already, hasn't been proven to be exploitable (more likely to simply crash firefox), and is easily resolved by upgrading firefox.