Microsoft publicly acknowledged this week's second newly discovered flaw in Internet Explorer on Wednesday.
The company said the vulnerability would be addressed in an upcoming security bulletin, but advised safe browsing practices as a short-term solution to the "highly critical" flaw.
"(I) wanted to let you know that today we saw another public posting around a vulnerability in Internet Explorer. This one is different than the crash bug I wrote about earlier. The public posting speaks about createTextRange() and a way that this could be utilized to get code to run when visiting a specially crafted webpage," said Lennart Wistrand on Microsoft's Security Response Center blog. "We're still investigating, but we have confirmed this vulnerability and I am writing a Microsoft Security Advisory on this."
"We wanted to make sure customers knew we were aware of this and we will address it in a security update," he added.
The vulnerability can be found in pre-release versions of Microsoft's next generation Internet Explorer 7, as well as fully-patched Windows operating systems with IE 6, according to Secunia – the group that credited its own Andreas Snablad and private security researcher Stelian Ene with discovering the new flaw on Wednesday.
According to the U.S. Computer Emergency Response Team (U.S.-CERT), which also released an advisory on the newer, more critical createTextRange() flaw, there is proof-of-concept code for this vulnerability.
"By persuading a user to access a specially crafted webpage, a remote, unauthenticated attacker may be able to execute arbitrary code on that user's system. This vulnerability can also be used to crash Internet Explorer," according to the U.S.-CERT advisory. "Known attack vectors for this vulnerability require Active Scripting to be enabled in Internet Explorer. Disabling Active Scripting will reduce the chances of exploitation."
