Barely two weeks after shipping an Internet Explorer security makeover to cover a wave of drive-by malware downloads, Microsoft is scrambling to address the public disclosure of a new zero-day vulnerability that could be used in code execution attacks.
The Redmond, Wash. software maker confirmed it was investigating a warning posted on the Full-disclosure mailing list that the latest versions of IE causes various types of crashes when visiting Web pages with nested OBJECT tags.
A spokesman for Microsoft said the initial investigation has revealed that the bug would most likely result in the browser closing unexpectedly or failing to respond.
“Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.”
Michal Zalewski, the researcher who discovered the flaw and published the advisory without notifying Microsoft, said the issue was confirmed on fully patched versions of IE 6.0 and Microsoft Windows XP SP2 (Service Pack 2).
“At first sight, this vulnerability may offer a remote compromise vector, although not necessarily a reliable one,” Zalewski said.
Microsoft ponders an emergency patch. Click here to read more.
He described the error as “convoluted and difficult to debug” but warned that the risk of a code execution attack scenario can’t be ruled out.
“As such, panic, but only slightly,” Zalewski said.
Security alerts aggregator Secunia flagged the issue as “highly critical” and stressed that it can be exploited to corrupt memory by tricking a user into visiting a malicious Web site. “Successful exploitation allows execution of arbitrary code,” Secunia warned.
FrSIRT (French Security Incident Response Team) also slapped a “critical” rating on the flaw because of the risk it presents to IE users. In an alert, FrSIRT said the bug could be exploited by remote attackers to execute arbitrary commands.
“This flaw is due to a memory corruption error when processing a specially crafted HTML script that contains malformed “object” tags, which could be exploited by attackers to remotely take complete control of an affected system by convincing a user to visit a specially crafted Web page,” the research firm said.
Researchers at Websense Security Labs said there are no published proof-of-concepts demonstrating a remote code execution attack vector but made it clear that browser crash vulnerabilities often lead to remote code execution exploits.
Read the full story on eWEEK.com: Microsoft Rocked by New IE Zero-Day Flaw Warning
