Attack code exploits new IE bug


Attack code exploits new IE bug

Security researchers are warning that exploit code is circulating for a newly discovered security vulnerability in Microsoft's Internet Explorer web browser.

An error in the way IE handles some attributes of the "iframe" and "frame" HTML tags can be exploited to cause a buffer overflow and execute malicious code on a PC. The vulnerability could be exploited via a specially crafted HTML document including an e-mail message or a web page, according to an advisory from US-CERT.

The bug has been confirmed in IE 6.0 on a fully patched Windows XP with Service Pack 1 and IE 6.0 on a fully patched Windows 2000, according to an advisory from Danish security firm Secunia.

Programs using the WebBrowser ActiveX control, including Outlook, Outlook Express, AOL and Lotus Notes, may also be affected.

While Microsoft has not yet issued a patch, the bug appears to be a selling point for the widely touted Service Pack 2 (SP2) - systems running SP2 do not appear to be affected.

The bug could be particularly serious because a working exploit has been published on public mailing lists, according to Secunia. Such an exploit could make it far easier for a malicious user to launch an attack.

Written by Techworld staff

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy