Latest IE flaw rated critical

November 5, 2004

A new vulnerability has been reported in Internet Explorer (IE)- Microsoft’s widely used Web browser, which can be exploited by hackers to compromise a user's system.

According to Danish firm Secunia, the vulnerability is caused due to a boundary error in the handling of certain attributes in the 'iframe' and 'frame' HTML tags, which can be exploited to cause a buffer overflow and execute malicious code on a PC.

Users of Microsoft's free browser are advised to upgrade their systems to Windows XP SP2, which is not prone to the error. IE6 running on Win XP SP1 and Win 2000 are both vulnerable. Another way to circumvent the bug would be to disable Active scripting in the internet zone and the zone used by Outlook, Outlook Express, or any other software that uses the WebBrowser ActiveX control, US-Cert advised.

The organization’s advisory says that “By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code with the privileges of the user. The attacker could also cause IE (or the program using the WebBrowser control) to crash.”

Yesterday, a program designed to exploit this vulnerability has been released and distributed through the mailing lists. If executed, it might put people using unsecured IE to a grave risk of losing all their PC contents, compromise the privacy and secrecy of computer usage history.

Microsoft has begun to investigate the Iframe vulnerability and has not been made aware of any program designed to exploit the flaw, the company said in an e-mail statement sent to news agencies.

"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," the company stated.