March 20, 2006 2:28 PM PST

New bug can crash Internet Explorer

Microsoft is investigating a newly reported flaw in Internet Explorer 6 that could cause the browser to crash when viewing a malicious Web page, the company said Monday.

Details of the security weakness in the Web browser were published on a popular security mailing list last week by researcher Michal Zalewski. "This might not come as a surprise, but there appears to be a very interesting and apparently very much exploitable overflow in Microsoft Internet Explorer," he wrote.

The flaw can be exploited by an attacker to crash IE, Secunia said in an advisory published Monday. The vulnerability has been confirmed on a fully patched PC running IE 6 and Windows XP with Service Pack 2, the security monitoring company said. Secunia deems the issue "not critical."

Microsoft is investigating the issue, a company representative said in an e-mailed statement. "At this time, we are not aware of any attacks attempting to use the reported vulnerability," the representative wrote.

Once it completes its inquiry, Microsoft said, it may issue a security advisory or provide a patch through its monthly release process.

See more CNET content tagged:
flaw, Microsoft Internet Explorer, Microsoft Corp., Web browser, security


Join the conversation!
Add your comment
I know for a fact..
I've watched it happen in front of me while doing research on
spyware. All of a sudden -- the hard drive goes nuts and CRASH IE
is taken out.

Wake up and by a Mac!

Posted by OneWithTech (196 comments )
Reply Link Flag
Why not use...
Why use a MAC that runs on top of Unix? Why not just use GNU/Linux instead..
I can keep my PC hardware and I don't have to shell out money on closed hardware. If you want the Mac OS desktop just run GNOME window manager.
Posted by Greenbeanx (35 comments )
Link Flag
Macs are nice but Linux fits my budget better.
Posted by marytee (4 comments )
Link Flag
Wake up and study your OS
The Apple Intel chip was pushed to market with over 60 known issues (the most for any Intel chip at release)...14 of which are labeled "show-stoppers"...crash-bang-clunk!

Why anyone would buy proprietary systems with limited software development is still beyond me...they break just like any other system (my Dual G5 at work just got back from the shop)...

When will people realize that all OS's suck...but firefox is sweet...simple workaround for PC users...or any other myriad of browsers offered on the Wintel platform. Options...homie LOVES options, and that is exactly what linux/windows offers. Unlike dev on the Mac, I can go buy any number of hardware/software solutions. Gotta give Apple props for their move to Unix move in the right direction. More focus on software and less on electronics plz Apple...
Posted by cryhavoc2112 (41 comments )
Link Flag
Your lies are transparent
Just how long ago did this happen to you? How do you know that it's this particular bug? How come you "know" that a Mac is better but you are using a PC yourself? Why if you know better things are out there aren't you using Firefox or Opera instead of IE in the first place?

Nope, your recommendation to "by a Mac" (SIC) shows you're here with only one agenda and that's to spread FUD (something you like to accuse MS of doing).
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
Mac == Never crash?
By saying we should by[sic] a Mac because of an IE crash, are you claiming that there are no crashing bugs when browsing the web on a Mac?

Which browsers is this of which you speak that has shown to have zero crashing bugs?
Posted by KTLA_knew (385 comments )
Link Flag
Microsoft's has crashed my browser many times...
Posted by advs89 (68 comments )
Reply Link Flag
I experienced that, too...
Though I don't think is intentionally the malicious web site referred to by this article...

Posted by Mendz (519 comments )
Link Flag ?
Maybe they need to rename it to ?
Posted by pythonhacker (71 comments )
Link Flag
MS crashed my MS IE6 SP1
this is absurd and stupid!!!
Posted by vipervr (1 comment )
Link Flag
Do people really still use Internet Explorer???(unless they are at work and have no choice)

Thats weird.
Posted by Lee in California (13 comments )
Reply Link Flag
What's wrong?
what's wrong with internet explorer? I've use Internet Explorer, AND Windows XP and my computer hasn't crashed in 3 years. Seriously, if it hasn't worked out for you I understand that, but please don't make a big deal out of it.
Posted by xtuser (18 comments )
Link Flag
Just seems nicer to me
Other browsers have a nice look to them, but even when optimized I still seem to get to websites faster, and have a much faster file download speed (FF caps out at 400KB whereas I've gotten 1.4 MB on IE---All my results, not facts).

I have yet to get a virus except out of pure ignorance, which happened many years ago. Oh well, guess others are just unlucky.
Posted by Tomcat Adam (272 comments )
Link Flag
I use nothing else
Hype amongst MS haters is the biggest reason for FF and other to have any kind of popularity past the MS hating crowd.

I use IE everyday. Other browsers have problems with lots of pages for me. I use Exchange 2003's OWA all the time with FF or others it works only in the basic thanks.

If you have autoupdate on then you have no worries. I have never had a virus or had any exploit come through IE.

Tabbed browsing is nice and I am sure I will like it when the IE7 final version ships.
Posted by Lindy01 (443 comments )
Link Flag
indeed it crashes
hehehe.... yes... it crashes
Posted by julianrodriguez (13 comments )
Reply Link Flag
Not IE7
I'm using IE7. It does NOT crash...
Posted by aemarques (162 comments )
Link Flag
Simple, Use Firefox or Opera
Why does everybody still entrenched in using Internet Exploder :P Install Mozilla Firefox
or Opera and say goodbye to IE :D
Posted by wakizaki (44 comments )
Reply Link Flag
There's really no excuse for this in 2006
Buffer overflow is something that has been well known and well understood for decades now.
Microsoft needs to do an investigation to find the programmer(s) responsible,
and work together with other software companies to develop a blacklist so that
incompetents don't just move on to another unsuspecting employer.
Posted by Jackson Cracker (272 comments )
Reply Link Flag
then again
what can you expect from a company that thought it was A-OK to publish MS Office 6.0 when it couldn't even read files created by it's own 4.0? (remember - there was no 5.anything). Hmm, oh yeah - in spite of costing hundreds of thousands of hours of lost productivity - they never did rebate anyone for their woes and often corrupted data. Kinda like when it was A-OK to ship a crosslinking DOS 6.0 - which while they were fixing it from version to version - forgot to make sure their data compressions were also backwards compatible (OOOPS - sorry about that boys) - in a time when many small companies thought floppies were reliable back-ups. OUCH - that had to have hurt (you know when they said oh well, I'll just restore...and couldn't). Yeah - Bill broke out the wallet and re-imbursed who? Absolutley NO ONE!!!!

Want to know what MS products are going to be doing in 5 years? Use something else today!

and my favorite self-made MS comment:
If God really wanted man to enjoy computing - Bill Gate would've been stillborn!
Posted by sylhyntm (67 comments )
Link Flag
What bunk...
When will people wake up and smell the coffee, and stop being such easy dupes? The purpose of this so-called "security advisory" doesn't either enlighten or help a single, solitary soul--except maybe hackers who find their "jobs" (heh...;)) made easier by the process of self-styled "security firms" publishing details surrounding the holes they find.

The obvious answer to why a "security firm" would publish such information, information it deems "non-critical" and information surrounding a hole that has never been exploited by any entity except the "security firm" itself, is that the publication of such information is positive PR for the security firm itself. Outside of self-promotion for the "security firm," this information has no *positive* value whatsoever.

This is akin to Symantec publishing details of a virus that no one has ever contracted, and that no one has ever written before, in the hopes that someone will take this information and write a virus with it so that Symantec could then provide a "cure."

This "security firm" nonsense is a racket, pure and simple. A pity that so few people can see past the length of their own shallow prejudices to see it.
Posted by Walt Connery (89 comments )
Reply Link Flag
Been there...
...done that. Why am I not surprised by this? I guess it's because we always end up reading stuff about IE's vulnerabilities. Old news!
Posted by (6 comments )
Reply Link Flag
I appreciate Microsoft's consideration.....
.... by NOT developing any more IE versions from the Mac. To show
my appreciation, I have removed all copies of IE from my PC's too,
as much as IE can be removed from Windows. MS really welded IE
into Windows to beat out Netscape.
Posted by Earl Benser (4310 comments )
Reply Link Flag
are you using 3.1?
That's the last version of Windows I can recall you being alble to uninstall I.E. from.
Posted by Bob Brinkman (556 comments )
Link Flag
MS should stick to games only before they kill someone...wait, they did!
MS should stick to games only before they kill someone as a direct result of poor quality products. Wait a minute, they did already. If you take the one death directly attributed to the blackout of '03, which I believe was caused by major power lines failing. The people tasked to monitoring those failing lines did not know there were issues developing, because the systems used were down due to a Microsoft virus. If it wasn't for the Blaster worm the blackout that cost millions of dollars ...maybe a billion? ...probably never would have happened.
Posted by booboo1243 (328 comments )
Reply Link Flag
And guns kill people to..
Posted by Bob Brinkman (556 comments )
Link Flag
Check your facts
The XA/21 system that controls the Electric grid runs on UNIX.

The blackout was a combination of events. Overgrown trees, inadequate staff to detect and correct the software bug in a UNIX system, and FirstEnergy not taking remedial action or warning other control centers
Posted by gzcp31 (1 comment )
Link Flag
Stick to facts
And one fact is that the blackout had nothing to do with a failure of Windows. There was some people who theorized that maybe a worm that was spreading at that time had something to do with the blackout but that was disproved when the true source of the blackout was found and it also had no effect on the spread of the blackout from that original source.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
Not only did they kill somebody
but MS gave me an STD.
Posted by Charleston Charge (362 comments )
Link Flag
Facts? Here are some facts...
The *nix systems are being phased out for SCATA based systems, which all too often are being controlled by Windows virus based systems.

There were key PCs tasked to monitoring only, that were infected with viruses while the "host of other issues" were playing out. Trees take down power lines all the time, are you telling me the blackout of '03 was the only instance where trees took down lines? It was because of Microsoft infected devices tasked to monitoring this event failing, that action was not taken in a timely matter that may have prevented the blackout. That's where those of us not being paid off point fingers, with untainted common sense.
Posted by booboo1243 (328 comments )
Reply Link Flag
you mean
We're supposed to be getting checks for not believing you? Hot damm!

<a class="jive-link-external" href="" target="_newWindow"></a>
Posted by Bob Brinkman (556 comments )
Link Flag
Unix infected
Even the way you state what OS was running on some machines shows your bias. Your total failure to actually understand the cause of the blackout from it's original source to the people and system failures that allowed it to become a major problem is even more evidence that you don't have a clue and you have no desire to get one either.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
Speaking of which...
...have any of you guys gotten your checks this month from Bill? Mine hasn't arrived yet...
Posted by J_Satch (571 comments )
Link Flag
This bug
is not out in the wild AND it requires user interaction. It seems to me that if this same story was for the Mac everyone would be crying out FUD. I'm a Firefox and Opera user myself but it's just kind of amusing how one sided some of these posts tend to be.
Posted by Charleston Charge (362 comments )
Reply Link Flag
Just DO IT and stop griping about it
If you don't like it, then wipe all microsoft software from your computer and install something else. There are alternatives avaialable and you do have a choice. If you are using somethine else, then you have no reason to vent your stupid complaining because you are not affected.

So why is it that almost all the complaining is from people who don't even use microsoft software? Oh, come on... you're so easy to spot... "M$, Micro$oft, Windoze, Just another example, etc, etc, etc." You have no right to complain; YOU DON'T EVEN USE IT.

I've had about enough from you MAC boys and Linux groupies. I'm not talking about everyone who uses Linux or MAC. Nope, just those of you who have nothing better to do with your pathetic, useless life than constantly complain about an OS you don't even use. Don't like my post? Byte me!
Posted by Seaspray0 (9714 comments )
Reply Link Flag
Jimmy, oh Jimmy Mack. . .
you sound like someone who just had Internet Explorer crash his
Posted by J.G. (837 comments )
Link Flag
How Long Will it Take To Fix?
Isn't the real question how long will it take for Microsoft to fix this vulnerability? Even tho this is not out in the wild they should be proactive and fix it!
Posted by (17 comments )
Reply Link Flag
Exactly which part
of the english language do you not understand?

I kinda thought I made it pretty clear that I was nearly exhausted and got ahead of myself - forgetting to go back and re-read before posting. Had I, I would have corrected that first part to read so that it was clear that the Tabbrowsing did exist on IE (NOW, like after it had long been a feature in Mozilla projects - same as RSS feeds and anti-pop-up and phishing features) Features that mysteriously didn't appear in IE until they began to see some market erosion.

So - can you write a add-on to IE that enables even more flexibility to the Tabs? Probably not.
Can you write a feature to add enormous functionality in other parts of IE - no - you probably cannot.

By the way - can you remember the original instruction set for the 4086 processor - you know - the one that preceded the 8086 that was originally used in the first IBM PC's?

Yeah, I probably have forgotten more advanced programming techniques from the previous generations than you have mastered in the current.

Do you also have any in depth analog computing experience behind you? How about computers that don't even use electricity (like the pnuematic/hydraulic forced balance analogs I was responsible for on the USS Ranger)?

30 years and then some - but ONLY 30 as a recognized professional. The earlier work only got me statewide recognition in Ohio - and numerous scholarship offers while I was still in high school. Doing stuff like operational amplifier research and early gated logic circuits.
Posted by sylhyntm (67 comments )
Reply Link Flag
Defensive people like you. . .
embarrass themselves. They behave as if they need the
approval of the whole world. One does not. On the other hand,
you are in, Lord forbid, Ohio, a place where a fraudulent coin
collector is considered a state treasurer and parents keep kids in
cages. Understandable that you need an ego boost.

Most people here are Internet regulars. We already know that IE
has a large installed base because of Microsoft market
dominance, not quality. We are the people most likely to know
about alternative browsers. So, you are preaching, rather
endlessly, to the choir. And, yes, that choir includes advocates
for IE.
Posted by J.G. (837 comments )
Link Flag
I'm a Mac guy. I'm a Mac guy in part because I'd rather not deal
with Microsoft's standard of 'excellence' unless I'm paid for the
effort. I firmly believe things about Microsoft that could get me
sued for slander or libel or some such.

Know where I'm coming from? OK. I'm telling you that this is not
a big deal. the bug allows a remote site to crash your browser.
While that is more of a disaster than has been successfully
visited on many Mac users, this is worth an uproar because ...? It
could annoy you by closing your other tabs ... oh, does IE have
those yet? It's no big deal! You restart IE and don't return to that
site ... and just what will you tell your wife or boss you were
doing there anyway?

Please ... even an enemy of the Evil Empire can't get roused over
this one.
Posted by dlmeyer (6 comments )
Reply Link Flag
Hi Mac Guy
Only your's and Aurik Rain's "Disabling Internet Explorer is possible" Mar 21 2006, 6:35 AM PST
comments should have made it here.
The rest of the 63 comments where self serving bablings that did not inform or assist in solving IE browers shortcomings.
I don't have MAC because my tech skills are not savy enough.
Sooooo I put up w/IE because its the smart thing to do when your OS is MS (W-XP Sp 2). MS has made sure that some applications will not function properly, soooooo I also use FF when IE
(which is tight as a drum on my computer) becomes annoying at times.
I have 3 people on my machine and still in dial up mode. Norton virus software is only loyal to one account, therefore I use McAfee.
Yes my IE becomes unresponsive at times (crashes I guess) but I'm glad, then I know I put my nose somehwere it did not belong.
I do have life beyond IE and MS.

Now, my biggest beef is Windows Messenger.
How can I get rid of it, if at all.
Any and all feedback would be appreciated.
Posted by sneezy--2008 (53 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.