Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » IE zero-day vulnerability

IE zero-day vulnerability

by Ivana Strahija on March 18th, 2006 The Internet Explorer browser has once again been put in the public eye as being less safe. The newest bug can crash the program, and perhaps allow the attackers to even take over the system.


Michal Zalewski, who discovered the zero-day vulnerability, says it's a remote overflow in script action handlers (mshtml.dll): -This vulnerability can be triggered by specifying more than a couple thousand script action handlers (such as onLoad, onMouseMove, etc.) for any single HTML tag. Due to a programming error, MSIE will then attempt to write memory array out of bounds, at an offset corresponding to the ID of the script action handler multiplied by 4, writes Zalewski. He said that the bug, if exploited will crash the Internet explorer browser.

The security researcher also provided a proof-of concept code for a fully patched WinXP SP2 system with IE 6, while Firefox and Opera are not vulnerable. This was also confirmed by Symantec, who warns its users in an advisory that the vulnerability has to be explored some more, to determine the impact. McAfee has also issued a warning to its customers.

Security experts fear that the exploit could be used to take over the attacked PC, and advise users to surf the web with an alternate browser, or at least keep to trusted web sites.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »