Symantec is reporting that older versions of Microsoft Internet Explorer are susceptible to a new attack against a vulnerability in its cascading style sheets (CSS). While a working exploit hasn’t been detected, Symantec suspects that it’s only a matter of time before hackers start actively using this new vulnerability with a full-functioning exploit.
According to Symantec, the CSS vulnerability affects versions 6 and 7 of the Microsoft browser. Exploits currently detected are unreliable, meaning that they don’t always work. However, when a working, full-functioning exploit is produced, Symantec says hackers will be able to inject malicious code into Web sites and stealthily infect PCs.
Symantec says malicious code attacking the vulnerability are detected with the current Bloodhound.Exploit.129 antivirus signature, as well as the HTTP Microsoft IE Generic Heap Spray BO and HTTP Malicious Javascript Heap Spray BO IPS signatures. Since these signatures aren’t fully reliable, Symantec is working on a new set of signatures specifically for this vulnerability.
Until Microsoft releases a patch for the CSS vulnerability, Symantec advises PC users to update antivirus signatures, disable JavaScript and only visit trustworthy Web sites.