Second Bug In A Week Smacks At IE - InformationWeek
07:16 PM

Second Bug In A Week Smacks At IE

By exploiting the zero-day bug, hackers could either get Internet Explorer to run malicious code remotely, or crash the browser. Microsoft has promised a fix.

For the second time in two days, Microsoft Corp. on Wednesday acknowledged a zero-day bug in Internet Explorer, but this time promised to patch the problem.

The vulnerability is caused by an error in Internet Explorer's (IE) processing of the "createTextRange()" JavaScript method call, both Cupertino, Calif.-based Symantec and Danish vulnerability tracker Secunia noted Wednesday. By exploiting the bug, hackers could either get IE to run malicious code remotely, or crash the browser.

"We have confirmed this vulnerability," wrote Lennart Wistrand, lead security program manager, on the Microsoft Security Response Center (MSRC) blog. "I am writing a Microsoft Security Advisory on this…but we wanted to make sure customers knew we were aware of this and we will address it in a security update."

Tuesday, the MSRC had verified that another bug in IE could crash the browser, and might be able to compromise computers. That vulnerability went public last Friday.

The newest flaw could be exploited by designing a malicious Web site that contains the "createTextRange()" JavaScript method, then luring users to the site. People who visited such a site would not know that their system had been hacked.

Secunia tagged the vulnerability with its second-most-dire "highly critical" label.

Although IE 7 and January edition of the IE 7 Beta 2 Preview are vulnerable to attack, Microsoft's Wistrand said that the March 20 version of IE 7's preview is not. TechWeb confirmed that the current IE 7 Beta 2 Preview, available for download here, is safe, by independent testing using the proof-of-concept code that has been posted publicly.

Microsoft touts IE 7 as substantially more secure from attack than earlier versions; last month, in fact, Gary Schare, director of product management for IE, said that the final edition of 7 would "put an end to the last bastion of drive-by downloads."

Scripting vulnerabilities have plagued IE for more than two years. The most recent was a November 2005 flaw that was used by a large number of spyware sites to secretly install software on users' PCs

As in that instance, Microsoft Wednesday recommended that users disable JavaScript until a patch is forthcoming. "If you turn off Active Scripting, that will prevent the attack," Wistrand said.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
2017 State of IT Report
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll