Microsoft looking into newest IE flaw

Share this article:

Microsoft publicly acknowledged this week's second newly discovered flaw in Internet Explorer on Wednesday.

The company said the vulnerability would be addressed in an upcoming security bulletin, but advised safe browsing practices as a short-term solution to the "highly critical" flaw.

"(I) wanted to let you know that today we saw another public posting around a vulnerability in Internet Explorer. This one is different than the crash bug I wrote about earlier. The public posting speaks about createTextRange() and a way that this could be utilized to get code to run when visiting a specially crafted webpage," said Lennart Wistrand on Microsoft's Security Response Center blog. "We're still investigating, but we have confirmed this vulnerability and I am writing a Microsoft Security Advisory on this."

"We wanted to make sure customers knew we were aware of this and we will address it in a security update," he added.

The vulnerability can be found in pre-release versions of Microsoft's next generation Internet Explorer 7, as well as fully-patched Windows operating systems with IE 6, according to Secunia – the group that credited its own Andreas Snablad and private security researcher Stelian Ene with discovering the new flaw on Wednesday.

According to the U.S. Computer Emergency Response Team (U.S.-CERT), which also released an advisory on the newer, more critical createTextRange() flaw, there is proof-of-concept code for this vulnerability.

"By persuading a user to access a specially crafted webpage, a remote, unauthenticated attacker may be able to execute arbitrary code on that user's system. This vulnerability can also be used to crash Internet Explorer," according to the U.S.-CERT advisory. "Known attack vectors for this vulnerability require Active Scripting to be enabled in Internet Explorer. Disabling Active Scripting will reduce the chances of exploitation."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.