New Zero-Day Bug Crashes Internet Explorer

Because the vulnerability can be exploited by a single malicious HTML tag, IE could be brought to its knees if its user simply surfs to a nasty Web site.

Gregg Keizer, Contributor

March 17, 2006

2 Min Read
InformationWeek logo in a gray background | InformationWeek

Microsoft's Internet Explorer browser crashes when attacked through a new unpatched vulnerability, security companies told TechWeb Friday.

The zero-day bug occurs within the "mshtml" library when a malformed HTML tag with an abnormally large number of script handlers is fed to the browser. According to the researcher who posted the initial description to the Bugtraq security mailing list, attackers can easily crash IE by flooding its buffer.

The researcher, Michal Zalewski, also released proof-of-concept code that crashes the latest IE release on a fully-patched edition of Windows XP SP2.

Symantec noted in an alert to customers of its DeepSight system that its staff had confirmed the proof-of-concept code crashed IE in some, but not all, situations. Also on Friday, rival McAfee released a new signature to anti-virus customers that detects the proof-of-concept exploit.

Because the vulnerability can be exploited by a single malicious HTML tag, IE could be brought to its knees if its user simply surfed to a nasty Web site. Symantec, however, warned that the bug may be even more serious. "Further investigation in the details of exploiting the vulnerability to determine the possibility of code execution are currently under way," the company's advisory read.

If that's the case, IE users may face a new major hijack risk.

There are no known work-arounds, and Microsoft did not immediately respond to questions about its plans for the vulnerability.

"Until more information is available it is advised that all users take extra caution in their browsing activities, and limit web access to trusted web sources only," Symantec recommended.

Zalewski, however, noted that other browsers, such as Firefox and Opera, were not susceptible to the attack, implicitly advising users to consider an alternate browser.

Finally, he pre-empted Microsoft, which always criticizes researchers who disclose bugs before the Redmond, Wash.-based developer can create a fix, with a blast of his own.

"I eagerly await due reprimend [sic] from Microsoft for not disclosing this vulnerability in a manner that benefits them most," Zalewski said in his Bugtraq posting.

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights