An “extremely critical” hole in Internet Explorer may ruin Christmas for Microsoft and thousands of its customers, Techworld has learned.

The exploit can give system access to an intruder and allow them to install any code onto a host computer if that person simply visits a website with malicious coding on it. It bypasses security and could easily result in the release of sensitive information.

Microsoft has not been informed of the exploit and the details are now in the public domain, making the situation all the more risky. Security company Secunia.com found the exploit posted on a public mailing list by Chinese researcher Liu Die Yu today and has given it a rating of 4 out of 5.

Secunia CTO Thomas Kristensen warns that due to Microsoft’s new policy of monthly security updates and patches, it may not be until January until the exploit is dealt with.

“Microsoft tends to take its time to resolve an issue to release a solid patch. At the moment they will be working on patches for December so there may be nothing until January - unfortunately for users,” he said.

A Microsoft spokeswoman told us, however, that if the company felt the exploit was critical, it would make an exception to the normal monthly patches. There is no word yet how seriously the company is taking the issue.

Meanwhile, Kristensen warns that one of the holes is very similar to one that was exploited by the extremely damaging Nimbda virus. According to Secunia’s advisory:

  • A redirection feature can bypass Explorer security that stops files on a foreign website from being run
  • That hole means a malicious file can be downloaded and run on a user’s system
  • A cross-site script hole could allow the same file to be run within a user’s protected “My Computer” area, yielding sensitive information
  • A previously fixed vulnerability can still be exploited so limited control over the computer can be achieved
  • A user’s cache can be assessed with an invalid header field

In short, it doesn’t look good.