Exploit for unpatched IE hole released
An exploit for the recently disclosed critical hole in Microsoft XML Core Services is now publicly available as a module for the Metasploit exploit framework. The vulnerability can be exploited to execute remote code via specially crafted pages in Internet Explorer; Office 2003 and 2007 are also vulnerable. Although the exploit currently only works with Microsoft XML Core Services 3.0 in IE6 and IE7 under Windows XP (SP3), the hole generally affects all supported versions of Windows.
In its security advisory, Microsoft advises users to apply a "Fix it" solution until a patch has been released that fixes the vulnerability. While it usually takes a few days before public exploits are used for large-scale attacks, Microsoft notes that it is already "aware of active attacks" that leverage the vulnerability. According to some rumours, attacks using this hole are believed to be one of the reasons behind Google's new warning system that alerts users to suspected attacks by state-sponsored agencies.