While Microsoft has yet to issue a permanent patch for a known exploit, the code could become widely available to cybercriminals after being integrated into an open-source testing tool. October 1, 2013 8:09 PM PDT This screenshot shows a successful attack against Windows 7 running IE 9. (Credit: Rapid7) Attack code that exploits an unpatched vulnerability found in all supported versions of Internet Explorer has been released into the wild. This means that cyberattacks could now surge and affect Internet Explorer users. Known as CVE-2013-3893, the exploit was integrated Monday into Rapid7's open-source Metasploit penetration testing tool. By putting the exploit into Metasploit, the attack code was made accessible not only to security professionals but also cybercriminals, according to PCWorld. Related stories ExploitShield becomes Malwarebytes Anti-Exploit Google plans to wipe child porn from the Web Google push for faster zero day fixes hits a wall: Other companies As Schmidt speaks of caution, Google Glass gets hacked Oracle issues emergency Java update to patch vulnerabilities "As long as cybercriminals get access to the exploit code made publicly available we will see instances of the exploit being use by regular cybercriminals and probably we will find the exploit in some of the most famous Exploit Kits," security firm AlienVault's research team manager Jaime Blasco told PCWorld. "I'm sure if Metasploit includes this exploit we will see an increase on widespread exploitation." The exploit has apparently been on the loose for the last three months, but the majority of the attacks have targeted organizations in Japan and Taiwan, according to PCWorld. The integration of the CVE-2013-3893 into Metasploit could mean more widespread attacks. Microsoft has not yet released a permanent patch for this exploit. It announced the CVE-2013-3893 flaw and released a downloadable in mid-September. Microsoft is expected to issue a new batch of security updates on October 8, but it's not yet clear if it will include a permanent patch for CVE-2013-3893.
While Microsoft has yet to issue a permanent patch for a known exploit, the code could become widely available to cybercriminals after being integrated into an open-source testing tool.
This screenshot shows a successful attack against Windows 7 running IE 9.
(Credit: Rapid7)
Attack code that exploits an unpatched vulnerability found in all supported versions of Internet Explorer has been released into the wild. This means that cyberattacks could now surge and affect Internet Explorer users.
Known as CVE-2013-3893, the exploit was integrated Monday into Rapid7's open-source Metasploit penetration testing tool. By putting the exploit into Metasploit, the attack code was made accessible not only to security professionals but also cybercriminals, according to PCWorld.
Related stories
- ExploitShield becomes Malwarebytes Anti-Exploit
- Google plans to wipe child porn from the Web
- Google push for faster zero day fixes hits a wall: Other companies
- As Schmidt speaks of caution, Google Glass gets hacked
- Oracle issues emergency Java update to patch vulnerabilities
"As long as cybercriminals get access to the exploit code made publicly available we will see instances of the exploit being use by regular cybercriminals and probably we will find the exploit in some of the most famous Exploit Kits," security firm AlienVault's research team manager Jaime Blasco told PCWorld. "I'm sure if Metasploit includes this exploit we will see an increase on widespread exploitation."
The exploit has apparently been on the loose for the last three months, but the majority of the attacks have targeted organizations in Japan and Taiwan, according to PCWorld. The integration of the CVE-2013-3893 into Metasploit could mean more widespread attacks.
Microsoft has not yet released a permanent patch for this exploit. It announced the CVE-2013-3893 flaw and released a downloadable in mid-September. Microsoft is expected to issue a new batch of security updates on October 8, but it's not yet clear if it will include a permanent patch for CVE-2013-3893.
