IE flaw could unearth worm

Although there is no proof that the vulnerability foretells the execution of arbitrary code, which would allow an attacker or worm to take control of a person's system, there's a strong possibility that the vulnerability is critical.

Freelance security consultant Dave Matthews says that if the bug is fully exploitable, then someone has undoubtedly figured it out by now.

"It's reasonably dangerous. It will require an effective payload to turn it into something more useful. Presumably, someone out there has something already," he told ZDNet Australia.

The potentially critical security flaw was disclosed to the Bugtraq security mailing list, in an act that Matthews says was most likely intended to antagonize the software giant. The buffer overflow vulnerability is triggered by a malicious Java script that can be embedded in an HTML document. When a Web page or HTML file containing the malicious script is viewed by Internet Explorer, versions 5 and 6, the buffer is overrun and the browser crashes.

The code was posted to the BugTraq security mailing list early Sunday morning, but didn't garner much attention until Kevin Finisterre, a security researcher with consultancy Secure Network Operations, confirmed that it crashed IE 6.

"A bug like this could be triggered via a number of means...through e-mail, simply browsing a web page, perhaps browsing a network share," he wrote in an e-mail to CNET News.com. He warned that a worm could be a possibility, but stressed that the flaw only crashes Internet Explorer; no one has yet found a way to use the flaw to force IE to run code. Vulnerabilities that crash applications frequently suggest the possibility of a bigger problem, but Finisterre said other conditions could make exploiting the hole harder.

"It appears to be a little more difficult than your vanilla buffer overflow because all of the data supplied by the attacker is converted to uppercase," he said. That means that the code sent by an attacker to run on the targeted machine would have to work in all capital letters.

A Microsoft representative said that the company is investigating the issue and wouldn't speculate on how dangerous the flaw might be. The software maker wasn't pleased with the premature revelation of the vulnerability before its security teams got a chance to look into the matter. "Its publication may put our customers at risk or at the very least cause customers needless confusion and apprehension," the representative wrote to News.com.

Jamie Gillespie, a security analyst with AusCERT, a clearinghouse for vulnerability information, says it may be too early to go on full alert.

"It is a possibility that it could execute arbitrary code. That has not been proven," he said. "It's hard to say without knowing the internal coding structure of IE."

He did, however, concede that the flaw could pose a risk.

"Most buffer overflows do have a strong possibility to allow the execution of arbitrary code," he said.

According to Gillespie, Microsoft is looking into the issue, but as yet a patch is unavailable. Antivirus scanners will be of little use until definitions are updated, and even then they will be of limited use. What is needed is a patch.

Because the general perception is that HTML is much safer than executable code, such as .exe, .pif and .scr files, chances are that messaging gateways will allow the code to slip into user in-boxes, according to Chy Chuawiwat, managing director of content-filtering company Clearswift Australia.

"Pretty much everybody" allows HTML to pass through company-filtering gateways, he said. Of those, only a small proportion analyze the structure of the HTML code.

"30 percent use some kind of a script analysis tool to look for malicious code in HTML, but if it's not a known pattern that looks malicious it won't pick it up," he said.

Clearswift and other content-filtering and antivirus companies are analyzing the bug to determine the best course of action.

ZDNet Australia's Patrick Gray reported from Sydney.