Last week, Raff held a "treasure hunt" on his site, where he had hidden the exploit code. He declared "George the Greek" the contest winner in conjunction with the publication of details about the vulnerability.
"Internet Explorer is prone to a Cross-Zone Scripting vulnerability in its 'Print Table of Links' feature," Raff explained in a post on Milw0rm.com summarizing his proof-of-concept exploit. "This feature allows users to add to a printed Web page an appendix which contains a table of all the links in that Web page."
According to Raff, an attacker can add a maliciously crafted link to any Web page that accepts user generated content that, under certain circumstances, lets the attacker take control of the user's machine when he or she tries to print the page.
When it prints a page, Internet Explorer invokes a local resource script to generate any of the HTML to be printed. "This HTML consists of the following elements: Header, webpage body, footer, and if enabled, also the table of links in the Web page," Raff explains.
Because the script does not validate the URL, an attacker can inject a script that will be executed when the HTML to be printed is generated.
Users of Internet Explorer 7.0 and 8.0b on fully patched Windows XP systems are vulnerable. Users of Windows Vista with User Account Control (UAC) enabled may only be subject to information leakage. Earlier versions of Internet Explorer may also be affected.
Raff said that he alerted Microsoft to the problem on Tuesday and that the company is planning a fix. In the meantime, he advises not using the "Print Table of Links" feature when printing Web pages.