Exploit code for the the zero-day vulnerability in Internet Explorer has been added to the Metasploit framework. According to an email HD Moore wrote to ZDNet’s Ryan Naraine, the exploit works quite reliable – successful 50% of the times on Windows XP with SP2 and SP3 with IE7 and deactivated Data Execution Prevention (DEP).
The security hole got reported yesterday on Microsoft’s March 2010 Patch Tuesday. Drive-by-Download-Exploits are likely to appear now as the Metasploit framework is open source and the exploit can now be abused even by script kiddies. Time to change the default browser – Microsoft just released a new browser choice screen which allows for exactly that!