A researcher's note, circulated by Symantec, says Internet Explorer is prone to memory corruption because of the way it handles malformed HTML.
Microsoft's Internet Explorer, which was just patched with 10 fixes two weeks ago, suffers from yet another zero-day vulnerability that can be exploited remotely, security firm Symantec said Monday.
In an alert to customers of its DeepSight threat system, Symantec cited a vulnerability first posted to the Bugtraq security mailing list by researcher Michal Zalewski, who notes that IE is prone to memory corruption because of the way it handles malformed HTML.
HTML content that contains nested closure tags, said Symantec's alert, can trigger the bug.
"An attacker could exploit this issue via a malicious web page to potentially execute arbitrary code in the context of the currently logged-in user," said the advisory. "If the attack is successful, the executable content will be executed. Failed exploit attempts will likely crash the affected application."
A fully-patched version of IE 6 for Windows XP SP2 -- the most-secure production version of Microsoft's browser -- is open to the attack.
While Zalewski has published HTML code that crashes the browser, no more-malicious exploit has yet been seen, said Symantec. Still, it warned IE users to run the browser in a non-administration user account, stay away from questionable Web sites, and disable HTML in e-mail clients, since an attack could also be launched by getting users to preview HTML-based messages.
Symantec rated the new zero-day vulnerability with an overall threat score of 7.5 out of a possible 10.
"Panic, but only slightly," said Zalewski in his Bugtraq listing.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.