Microsoft is investigating claims of a new zero-day vulnerability that leaves Internet Explorer browser users wide open to remote code execution attacks.

Exploit code for the vulnerability has been added to the Metasploit tool and a video has been posted to provide a demo of the severity.

Here’s a brief description of the issue from VUPEN:

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system. This issue is caused by a use-after-free error within the “mshtml.dll” library when processing a web page referencing a CSS (Cascading Style Sheets) file that includes various “@import” rules, which could allow remote attackers to execute arbitrary code via a specially crafted web page.

VUPEN has confirmed this vulnerability with Microsoft Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3, and with Internet Explorer 7 and 6 on Windows XP SP3.

Metasploit’s exploit code provides some more information:

This module exploits a memory corruption vulnerability within Microsoft HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution.

According to the video posted by Abysssec Security Research, the exploit bypasses two key Windows anti-exploit mitigations (DEP and ASLR) without the use of any third party extensions.

There are reports that the vulnerability was first published on a Chinese security blog.

This blog post is originally copied from http://www.zdnet.com