Another Zero-Day Bug Smacks IE
A researcher's note, circulated by Symantec, says Internet Explorer is prone to memory corruption because of the way it handles malformed HTML.
In an alert to customers of its DeepSight threat system, Symantec cited a vulnerability first posted to the Bugtraq security mailing list by researcher Michal Zalewski, who notes that IE is prone to memory corruption because of the way it handles malformed HTML.
- Government Analytics: Set Goals, Drive Accountability and Improve Outcomes
- 2012 IBM Chief Information Security Officer Assessment
HTML content that contains nested closure tags, said Symantec's alert, can trigger the bug.
"An attacker could exploit this issue via a malicious web page to potentially execute arbitrary code in the context of the currently logged-in user," said the advisory. "If the attack is successful, the executable content will be executed. Failed exploit attempts will likely crash the affected application."
While Zalewski has published HTML code that crashes the browser, no more-malicious exploit has yet been seen, said Symantec. Still, it warned IE users to run the browser in a non-administration user account, stay away from questionable Web sites, and disable HTML in e-mail clients, since an attack could also be launched by getting users to preview HTML-based messages.
Symantec rated the new zero-day vulnerability with an overall threat score of 7.5 out of a possible 10.
"Panic, but only slightly," said Zalewski in his Bugtraq listing.