March 21, 2006 6:11 PM PST

Another IE bug hits Microsoft

Microsoft is investigating a security flaw that could let an attacker gain control over a vulnerable Windows computer, the company said Tuesday.

The flaw was reported to the company earlier this month by Jeffrey van der Stad, a 25-year-old Dutch programmer. The problem is related to the way the browser processes so-called HTA files, Microsoft said in an e-mailed statement. HTA files are associated with Web applications.

The vulnerability affects Internet Explorer 6 on Windows 98, Windows XP and Windows 2003 Server, according to van der Stad's Web site. "With this vulnerability it is possible to run an HTA file without the user's permission," he wrote.

Initially, van der Stad provided more details on his Web site, but he removed those at Microsoft's request, he wrote. A proof-of-concept exploit will be published when Microsoft issues a fix for the problem, he wrote.

Microsoft is investigating the issue, the company said. At this time, the company is not aware of any attacks attempting to use the reported vulnerability, it said.

Once it completes its inquiry, Microsoft said, it may issue a security advisory or provide a patch through its monthly release process. On his Web site, van der Stad wrote that Microsoft told him a fix is in the works.

On Wednesday, Microsoft said it is currently working on an update for IE that could be ready as soon as next month's patch day, April 11. "Microsoft will try to make the update as comprehensive as possible, but the update itself was already in development when Microsoft was made aware of these vulnerabilities so that may not be possible," a company representative said.

This is the second IE flaw within a week that Microsoft has said it is investigating and may issue a patch for. On Monday the company said it was looking into a bug that could cause the browser to crash.

Also on Wednesday, the Microsoft Security Response team on its blog said it is looking at a third IE big. The flaw has to do with the "createTextRange()" tag and could be exploited to gain control over a vulnerable PC, according to the blog posting.

"We're still investigating, but we have confirmed this vulnerability...We will address it in a security update," a Microsoft Security Response staffer wrote.

Microsoft offered a work-around, in the meantime.

"Our initial investigation has revealed that if you turn off active scripting, that will prevent the attack, as this requires script," according to a posting on Microsoft's blog.

The flaw affects fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2. The vulnerability also affects IE 7 Beta 2 Preview, according to an advisory issued by security researcher Secunia.

CNET's Dawn Kawamoto contributed to this report.

See more CNET content tagged:
van, vulnerability, flaw, Microsoft Internet Explorer, blog


Join the conversation!
Add your comment
This is news???
Posted by advs89 (68 comments )
Reply Link Flag
same old, same old
basically this is what i see everyday on
Posted by xtuser (18 comments )
Reply Link Flag
Think for a minute......
.....stop thinking so you can read this now.

My house is protected by ADT but I know there's a way to get
into my house from the outside. A security HOLE if you will! I
know It's there because my friend in security broke into my
house using that hole; totally bypassing the security all together.
Come to think of it that bonehead stole my Favorite Jay-Z /
Linkin Park Album.

Now I must make a decision because my buddy told the whole
state about my "HOLE" in the security at my house.

HMMMM. Mabey I'll wait till next Tuesday to fix it!


Posted by OneWithTech (196 comments )
Reply Link Flag
You didn't think
The difference between your silly analogy and Microsoft, is that they didn't tell everyone where the hole is. So your analogy is silly.
Posted by Anonymous1234567890 (53 comments )
Link Flag
I'm thinking- - -
Smell the smoke? That's me thinking. The concept presented is a bit far fetched. If Microsoft would change their choice of word from investigating (which conotates they are getting evidence that the problem exists) to checking for a solution (which states it better) the idea of waiting for something to occur is easier to understand. I remember a few short months ago when MS 'rushed' a patch that screwed up half the computers in the world. They then had to issue a fix. Better to wait a day than create some half-assed quickie to placiate the folks that always demand it be done NOW!
Posted by GEBERWEIN (75 comments )
Link Flag
In other news, the sky is blue
and the stripped down, nothing left in it that was promised for
Longhorn, version of Vista is delayed yet again. And these stories
make headlines.

MS may not be able to deliver a product on time, or secure their
operating system, but their marketing and public relations
departments are second to none.
Posted by rcrusoe (1305 comments )
Reply Link Flag
This story is on Auto-Repeat weekly setting
Has a week gone by since 1995 where some new Microsoft security issue is not reported on? I can't think of one.

I'm willing to bet a week's pay that CNet has a MS security hole story template, they just fill in a few blanks for names and dates and then post it on-line.
Posted by booboo1243 (328 comments )
Reply Link Flag
Seems like it, doesn't it?
I think they have more than one template. One for reporting the hole, one for when it gets exploited, one for when microsoft will make the patch available... I prefer they post them than not; knowing about it is more important than being kept in the dark.

It reminds me of a game of treasure hunt... "here's an operating system. Your job? Find the exploits?"
Posted by Seaspray0 (9714 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.