Another IE 6.0 vulnerability emerges

By Steve Malone

Posted on 5 Jul 2006 at 10:47

Another problem has surfaced with Internet Explorer. A proof of concept code has revealed that the Microsoft browser is open to attack through ActiveX, Microsoft's built in programming interface on Internet Explorer. Security firm Secunia rates the vulnerability as 'highly critical'.

According to Secunia, the vulnerability is due to an error in the HTML Help ActiveX control (hhctrl.ocx) when handling the 'Image' property. This can be exploited to cause a memory corruption by setting an overly long string multiple times for the property with the end result that a hacker may be able to take control of the machine.

The security firm says that the vulnerability has been confirmed on a fully patched system running Windows XP SP2 with Internet Explorer 6.0. Other versions of Windows running with different browsers such as the current beta Internet Explorer 7.0 may also be affected. Firefox, which does not support ActiveX, is unaffected.

The advice given to users wishing to guard against the latest exploit is to disable the 'Run ActiveX controls and plug-ins' setting for all but trusted sites - which is probably good advice in any case.