Microsoft investigates IE flaw

By Matt Whipp

Posted on 23 Nov 2005 at 12:58

Microsoft is investigating reports that a flaw thought to pose little threat is actually extremely dangerous and that there is already publicly available exploit code.

First released in May of this year, Microsoft had understood the implications of the vulnerability were simply that it could cause Internet Explorer to crash if exploited.

Now it appears that the vulnerability could lead to an attacker running code on the target machine.

The company says that once it has completed its investigations it will release a fix, possibly out of its monthly patch cycle, given the reports of proof of concept code being available. However, it says that it does not know of anyone successfully using this code as yet.

Microsoft says it is worried that it wasn't informed of the increased danger beforehand and thus has not had time to build a patch. 'Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk,' it said.

The flaw exists in a problem in the way Internet Explorer handles certain JavaScript commands. When initiating the 'Window() function in conjunction with a event, IE trips up trying to access a memory address, with the potential that attacker's code could be fed into the space it is trying to read using JavaScript to open multiple prompt boxes. The attack could be launched by persuading a victim to visit a specially built website that would trigger these conditions.

Microsoft advises disabling scripting in Internet Explorer while it works on a fix. The problem affects Windows versions from 98 to XP and in some conditions Windows Server 2003.