Microsoft looking into newest IE flaw

Share this article:

Microsoft publicly acknowledged this week's second newly discovered flaw in Internet Explorer on Wednesday.

The company said the vulnerability would be addressed in an upcoming security bulletin, but advised safe browsing practices as a short-term solution to the "highly critical" flaw.

"(I) wanted to let you know that today we saw another public posting around a vulnerability in Internet Explorer. This one is different than the crash bug I wrote about earlier. The public posting speaks about createTextRange() and a way that this could be utilized to get code to run when visiting a specially crafted webpage," said Lennart Wistrand on Microsoft's Security Response Center blog. "We're still investigating, but we have confirmed this vulnerability and I am writing a Microsoft Security Advisory on this."

"We wanted to make sure customers knew we were aware of this and we will address it in a security update," he added.

The vulnerability can be found in pre-release versions of Microsoft's next generation Internet Explorer 7, as well as fully-patched Windows operating systems with IE 6, according to Secunia – the group that credited its own Andreas Snablad and private security researcher Stelian Ene with discovering the new flaw on Wednesday.

According to the U.S. Computer Emergency Response Team (U.S.-CERT), which also released an advisory on the newer, more critical createTextRange() flaw, there is proof-of-concept code for this vulnerability.

"By persuading a user to access a specially crafted webpage, a remote, unauthenticated attacker may be able to execute arbitrary code on that user's system. This vulnerability can also be used to crash Internet Explorer," according to the U.S.-CERT advisory. "Known attack vectors for this vulnerability require Active Scripting to be enabled in Internet Explorer. Disabling Active Scripting will reduce the chances of exploitation."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Apple implements two-factor authentication

The company followed through on its promise to up iCloud security by implementing two-factor authentication earlier this week.

C&K apologizes for unauthorized access that led to Goodwill breach

A web hosting service apologized for intermittent unauthorized access of its hosted environment over 18 months that led to the Goodwill breach.

Yelp and TinyCo settle with FTC over COPPA Rule violations

Yelp and TinyCo settle with FTC over COPPA ...

Yelp will pay $450,000, and TinyCo will pay $300,000 to settle charges that their mobile apps collected information from children under the age of 13.