Microsoft Issues IE Security Advisory
Microsoft has issued a security advisory in anticipation of investigating a bulletin published by security firm SEC Consult, which overviews a flaw that may instantaneously crash Internet Explorer.
The advisory has been issued by Microsoft as part of a new program that alerts customers about emerging security threats that have been disclosed by third parties.
SEC Consult claims to have discovered that at least 20 commonly found COM objects can lead to an instant crash or exception error if invoked in a particular way. The flaw runs contrary to Microsoft's insistence that Internet Explorer can handle non-ActiveX controls -- i.e. COM components -- as if they were actual ActiveX controls.
To prove its point, SEC Consult posted a sample of the exploit code to its Web site. The advisory surmises that it may be possible to run arbitrary code in the context of IE as a result of loading HTML documents with specially crafted embedded CLSIDs that may result in null-pointer exceptions or even memory corruption.
All Versions of Internet Explorer 5.01 and 6.0 are affected by the vulnerability.