The bug takes advantage of the way some versions of the IE browser handle long strings of JScript code.
The bug patched yesterday resembles another IE buffer overflow problem reported last year.
In both instances, the bug allows a malicious programmer to take advantage of the way the browser reads a long URL, or, in this case, a long string of JScript code. After the maximum number of characters expected on a string is exceeded, the browser crashes, and the remaining characters--potentially comprising malicious code--go into memory, where they may be executed.
In the case of the previous buffer overflow problem, URLs of the type "res://"--which linked to local resources rather than remote Web pages--would max out after 256 characters, letting malicious programmers write from the 257th character.
In the case of the JScript buffer overflow bug, Microsoft is not disclosing the character limit.
"We know, but don't want to let that information out," said Karan Khanna, product manager for Windows NT security.
Khanna stressed that the bug could not manifest itself as a matter of chance, and that a victim would have to visit a site where the code was deliberately entered. He also noted that Microsoft is not alone in battling the buffer overrun menace.
"This happens on many applications and operating systems," he said. "What we're trying to do is to educate developers about safe coding practices, about taking more care in how they handle strings."
Microsoft has recommended that users unable to download the patch disable active scripting in the "Untrusted" and "Internet" zones under Internet Explorer security preferences.
The problem affects IE 4.0 and 4.01 running on Windows 95, 98, and NT 4.0.