X

Another IE bug hits Microsoft

New, unpatched security flaw could allow an attacker to gain control over a vulnerable Windows computer.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
See full bio
Joris Evers
2 min read
Microsoft is investigating a security flaw that could let an attacker gain control over a vulnerable Windows computer, the company said Tuesday.

The flaw was reported to the company earlier this month by Jeffrey van der Stad, a 25-year-old Dutch programmer. The problem is related to the way the browser processes so-called HTA files, Microsoft said in an e-mailed statement. HTA files are associated with Web applications.

The vulnerability affects Internet Explorer 6 on Windows 98, Windows XP and Windows 2003 Server, according to van der Stad's Web site. "With this vulnerability it is possible to run an HTA file without the user's permission," he wrote.

Initially, van der Stad provided more details on his Web site, but he removed those at Microsoft's request, he wrote. A proof-of-concept exploit will be published when Microsoft issues a fix for the problem, he wrote.

Microsoft is investigating the issue, the company said. At this time, the company is not aware of any attacks attempting to use the reported vulnerability, it said.

Once it completes its inquiry, Microsoft said, it may issue a security advisory or provide a patch through its monthly release process. On his Web site, van der Stad wrote that Microsoft told him a fix is in the works.

On Wednesday, Microsoft said it is currently working on an update for IE that could be ready as soon as next month's patch day, April 11. "Microsoft will try to make the update as comprehensive as possible, but the update itself was already in development when Microsoft was made aware of these vulnerabilities so that may not be possible," a company representative said.

This is the second IE flaw within a week that Microsoft has said it is investigating and may issue a patch for. On Monday the company said it was looking into a bug that could cause the browser to crash.

Also on Wednesday, the Microsoft Security Response team on its blog said it is looking at a third IE big. The flaw has to do with the "createTextRange()" tag and could be exploited to gain control over a vulnerable PC, according to the blog posting.

"We're still investigating, but we have confirmed this vulnerability...We will address it in a security update," a Microsoft Security Response staffer wrote.

Microsoft offered a work-around, in the meantime.

"Our initial investigation has revealed that if you turn off active scripting, that will prevent the attack, as this requires script," according to a posting on Microsoft's blog.

The flaw affects fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2. The vulnerability also affects IE 7 Beta 2 Preview, according to an advisory issued by security researcher Secunia.

CNET News.com's Dawn Kawamoto contributed to this report.