Microsoft looking into newest IE flaw

Share this article:

Microsoft publicly acknowledged this week's second newly discovered flaw in Internet Explorer on Wednesday.

The company said the vulnerability would be addressed in an upcoming security bulletin, but advised safe browsing practices as a short-term solution to the "highly critical" flaw.

"(I) wanted to let you know that today we saw another public posting around a vulnerability in Internet Explorer. This one is different than the crash bug I wrote about earlier. The public posting speaks about createTextRange() and a way that this could be utilized to get code to run when visiting a specially crafted webpage," said Lennart Wistrand on Microsoft's Security Response Center blog. "We're still investigating, but we have confirmed this vulnerability and I am writing a Microsoft Security Advisory on this."

"We wanted to make sure customers knew we were aware of this and we will address it in a security update," he added.

The vulnerability can be found in pre-release versions of Microsoft's next generation Internet Explorer 7, as well as fully-patched Windows operating systems with IE 6, according to Secunia – the group that credited its own Andreas Snablad and private security researcher Stelian Ene with discovering the new flaw on Wednesday.

According to the U.S. Computer Emergency Response Team (U.S.-CERT), which also released an advisory on the newer, more critical createTextRange() flaw, there is proof-of-concept code for this vulnerability.

"By persuading a user to access a specially crafted webpage, a remote, unauthenticated attacker may be able to execute arbitrary code on that user's system. This vulnerability can also be used to crash Internet Explorer," according to the U.S.-CERT advisory. "Known attack vectors for this vulnerability require Active Scripting to be enabled in Internet Explorer. Disabling Active Scripting will reduce the chances of exploitation."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.