Microsoft Confirms 'Highly Critical' IE Hole!!

naveenchandran · 24-03-2006, 10:04 AM

Microsoft plans to release a pre-patch advisory with workarounds for a "highly critical" vulnerability that could put millions of Internet Explorer users at the mercy of malicious hackers.

http://blogs.technet.com/msrc/default.aspx

The advisory, which will be posted here, acknowledges a code execution hole that was discovered and publicly reported by Secunia Research of Copenhagen, Denmark.

Secunia said in an alert that the vulnerability is due to an error in the processing of the "createTextRange()" method call applied on a radio button control.

"This can be exploited by a malicious Web site to corrupt memory in a way that allows the program flow to be redirected to the heap," Secunia said in the alert, warning that successful exploitation allows execution of arbitrary code whenever the target visits the rigged Web site.

The vulnerability was confirmed on a fully patched system with IE 6.0 and Microsoft Windows XP SP2. It has also been confirmed in IE 7 Beta 2 Preview, Secunia said.

The MSRC (Microsoft Security Response Center) said in a blog entry that users of the new refresh of the IE7 Beta 2 Preview announced at Mix '06 are not affected.

Lennart Wistrand, a program manager in the MSRC, recommended that IE users turn off Active Scripting to prevent a possible attack.

"Customers who use supported versions of Outlook or Outlook Express aren't at risk from the e-mail vector since script doesn't render in mail [being read in the restricted sites zone]," Wistrand added.

The latest warning comes just 24 hours after the discovery, and public release, of a denial-of-service bug in the dominant Web browser.

Sources:

http://www.eweek.com/article2/0,1895,1940501,00.asp
http://www.pcmag.com/article2/0,1895,1941724,00.asp
http://www.computerworld.com/softwar...109861,00.html
http://www.technologyreview.com/blog...,p1.html?CMT=1
http://news.com.com/Dangerous+code+o...3-6053456.html

Charan · 24-03-2006, 10:54 AM

Hmm i dont use IE. But i will have to patch it once the patch is available. :roll:

24-03-2006, 10:04 AM	#1 (permalink)
naveenchandran In The Zone Join Date: May 2004 Location: Hosur Operating System:GNU Posts: 451	Microsoft Confirms 'Highly Critical' IE Hole!! Microsoft plans to release a pre-patch advisory with workarounds for a "highly critical" vulnerability that could put millions of Internet Explorer users at the mercy of malicious hackers. http://blogs.technet.com/msrc/default.aspx The advisory, which will be posted here, acknowledges a code execution hole that was discovered and publicly reported by Secunia Research of Copenhagen, Denmark. Secunia said in an alert that the vulnerability is due to an error in the processing of the "createTextRange()" method call applied on a radio button control. "This can be exploited by a malicious Web site to corrupt memory in a way that allows the program flow to be redirected to the heap," Secunia said in the alert, warning that successful exploitation allows execution of arbitrary code whenever the target visits the rigged Web site. The vulnerability was confirmed on a fully patched system with IE 6.0 and Microsoft Windows XP SP2. It has also been confirmed in IE 7 Beta 2 Preview, Secunia said. The MSRC (Microsoft Security Response Center) said in a blog entry that users of the new refresh of the IE7 Beta 2 Preview announced at Mix '06 are not affected. Lennart Wistrand, a program manager in the MSRC, recommended that IE users turn off Active Scripting to prevent a possible attack. "Customers who use supported versions of Outlook or Outlook Express aren't at risk from the e-mail vector since script doesn't render in mail [being read in the restricted sites zone]," Wistrand added. The latest warning comes just 24 hours after the discovery, and public release, of a denial-of-service bug in the dominant Web browser. Sources: http://www.eweek.com/article2/0,1895,1940501,00.asp http://www.pcmag.com/article2/0,1895,1941724,00.asp http://www.computerworld.com/softwar...109861,00.html http://www.technologyreview.com/blog...,p1.html?CMT=1 http://news.com.com/Dangerous+code+o...3-6053456.html __________________ Million's Of Open Minds Can't Be Wrong! http://nc.xmgfree.com/weblog Everybody Wants to go to Heaven...But nobody wants to Die!

24-03-2006, 10:54 AM	#2 (permalink)
Charan >:)I-):(\|)8-X Join Date: Sep 2004 Location: ಬೆಂಗಳೂರು (Bengaluru) Posts: 3,511	Hmm i dont use IE. But i will have to patch it once the patch is available. :roll: __________________ i5 2400 \| DH67BL \| G.Skill Ripjaw 4 GB \| FSP SAGA II 500W \| CM 430 Black Elite \| MSI R6850 Cyclone PE/OC \| XBox 360 Controller \| 21.5" Samsung Sync Master 2233 \| 4 Mbps UL

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Popular Categories

Popular Articles

Content Categories

Sister Sites

Follow Us

Facebook Channels

Digit Magazine

	Advertisements. Register and be a member of the community to get rid of them.
Advertisement