A new web browser vulnerability made a tough week a little bit tougher for Microsoft.
For the second time in as many days, security researchers discovered a new flaw in Internet Explorer, the latest of which can be employed by a malicious user to compromise a user's PC.
The newest flaw, rated "highly critical," "is caused by an error in the processing of the 'createTextRange()' method call applied on a radio button call," said Secunia. "This can be exploited by e.g. a malicious website to corrupt memory in a way that allows the program flow to be redirected to the heap."
Secunia, which credited Andreas Sandblad of its own research division and Stelian Ene with the discovery, added that the flaw has been found in pre-release versions of Microsoft's next generation Internet Explorer 7.
"The vulnerability has been confirmed on a fully patched system with Internet Explorer 6 and Microsoft Windows XP System Pack 2," said Secunia. "The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview. Other versions may also be affected."
Microsoft said yesterday that it was investigating a recently discovered flaw in IE that could result in the browser crashing after accessing an exploitive page. Secunia had called that vulnerability "not critical."
Stephen Toulouse, a security program manager with Microsoft's Security Response Center, told the IDG News Service yesterday that an update to IE could be available as soon as early next month.
Lennart Wistrand, a member of the MSRC, said yesterday that the company was investigating the earlier flaw.
Secunia said today in an advisory on the "createTextRange() Code Execution" flaw that "the vendor is currently working on a patch."