March 21, 2006 6:11 PM PST
Another IE bug hits Microsoft
Last modified: March 23, 2006 6:55 AM PST
- Related Stories
-
New bug can crash Internet Explorer
March 20, 2006 -
Patches out for IE holes, Sony-related issue
December 13, 2005 -
Attack code released for IE hole
November 21, 2005 -
IE flaw opens door to infection on sight
August 9, 2005
The flaw was reported to the company earlier this month by Jeffrey van der Stad, a 25-year-old Dutch programmer. The problem is related to the way the browser processes so-called HTA files, Microsoft said in an e-mailed statement. HTA files are associated with Web applications.
The vulnerability affects Internet Explorer 6 on Windows 98, Windows XP and Windows 2003 Server, according to van der Stad's Web site. "With this vulnerability it is possible to run an HTA file without the user's permission," he wrote.
Initially, van der Stad provided more details on his Web site, but he removed those at Microsoft's request, he wrote. A proof-of-concept exploit will be published when Microsoft issues a fix for the problem, he wrote.
Microsoft is investigating the issue, the company said. At this time, the company is not aware of any attacks attempting to use the reported vulnerability, it said.
Once it completes its inquiry, Microsoft said, it may issue a security advisory or provide a patch through its monthly release process. On his Web site, van der Stad wrote that Microsoft told him a fix is in the works.
On Wednesday, Microsoft said it is currently working on an update for IE that could be ready as soon as next month's patch day, April 11. "Microsoft will try to make the update as comprehensive as possible, but the update itself was already in development when Microsoft was made aware of these vulnerabilities so that may not be possible," a company representative said.
This is the second IE flaw within a week that Microsoft has said it is investigating and may issue a patch for. On Monday the company said it was looking into a bug that could cause the browser to crash.
Also on Wednesday, the Microsoft Security Response team on its blog said it is looking at a third IE big. The flaw has to do with the "createTextRange()" tag and could be exploited to gain control over a vulnerable PC, according to the blog posting.
"We're still investigating, but we have confirmed this vulnerability...We will address it in a security update," a Microsoft Security Response staffer wrote.
Microsoft offered a work-around, in the meantime.
"Our initial investigation has revealed that if you turn off active scripting, that will prevent the attack, as this requires script," according to a posting on Microsoft's blog.
The flaw affects fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2. The vulnerability also affects IE 7 Beta 2 Preview, according to an advisory issued by security researcher Secunia.
CNET News.com's Dawn Kawamoto contributed to this report.
See more CNET content tagged:
van,
vulnerability,
Microsoft Internet Explorer,
Microsoft Internet Explorer 6,
flaw
My house is protected by ADT but I know there's a way to get
into my house from the outside. A security HOLE if you will! I
know It's there because my friend in security broke into my
house using that hole; totally bypassing the security all together.
Come to think of it that bonehead stole my Favorite Jay-Z /
Linkin Park Album.
Now I must make a decision because my buddy told the whole
state about my "HOLE" in the security at my house.
HMMMM. Mabey I'll wait till next Tuesday to fix it!
IDIOTS!
~Justin
Longhorn, version of Vista is delayed yet again. And these stories
make headlines.
MS may not be able to deliver a product on time, or secure their
operating system, but their marketing and public relations
departments are second to none.
I'm willing to bet a week's pay that CNet has a MS security hole story template, they just fill in a few blanks for names and dates and then post it on-line.