Microsoft looking into newest IE flaw

Share this article:

Microsoft publicly acknowledged this week's second newly discovered flaw in Internet Explorer on Wednesday.

The company said the vulnerability would be addressed in an upcoming security bulletin, but advised safe browsing practices as a short-term solution to the "highly critical" flaw.

"(I) wanted to let you know that today we saw another public posting around a vulnerability in Internet Explorer. This one is different than the crash bug I wrote about earlier. The public posting speaks about createTextRange() and a way that this could be utilized to get code to run when visiting a specially crafted webpage," said Lennart Wistrand on Microsoft's Security Response Center blog. "We're still investigating, but we have confirmed this vulnerability and I am writing a Microsoft Security Advisory on this."

"We wanted to make sure customers knew we were aware of this and we will address it in a security update," he added.

The vulnerability can be found in pre-release versions of Microsoft's next generation Internet Explorer 7, as well as fully-patched Windows operating systems with IE 6, according to Secunia – the group that credited its own Andreas Snablad and private security researcher Stelian Ene with discovering the new flaw on Wednesday.

According to the U.S. Computer Emergency Response Team (U.S.-CERT), which also released an advisory on the newer, more critical createTextRange() flaw, there is proof-of-concept code for this vulnerability.

"By persuading a user to access a specially crafted webpage, a remote, unauthenticated attacker may be able to execute arbitrary code on that user's system. This vulnerability can also be used to crash Internet Explorer," according to the U.S.-CERT advisory. "Known attack vectors for this vulnerability require Active Scripting to be enabled in Internet Explorer. Disabling Active Scripting will reduce the chances of exploitation."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.