Critical Flaw Affects Internet Explorer
A new vulnerability has been discovered within Internet Explorer's handling of the OBJECT tag that could cause the browser to crash. At first glance, the bug appears to be not much more than a nuisance, although an attack vector could not be ruled out by security experts.
Existence of the flaw has been confirmed on a fully patched version of Internet Explorer 6 running on Windows XP Service Pack 2, according to an advisory on the issue.
"At first sight, this vulnerability may offer a remote compromise vector, although not necessarily a reliable one," security researcher Michael Zalewski posted to the Full-disclosure mailing list on Sunday. "As such, panic, but only slightly."
Security firm Secunia has issued a slightly more dire warning regarding the flaw. Calling it a "highly critical" vulnerability, the firm said that successful exploitation would allow for the execution of arbitrary code. The firm recommends that users do not visit untrusted Web sites until a fix is provided.
Other security firms said that at the current time, no known malicious sites are attempting to take advantage of the vulnerability, but scans are ongoing. Additionally, no known exploit code is available to the public.
Microsoft has confirmed the issue, saying its initial tests showed that only a crash vulnerability existed due to the issue. An investigation is ongoing, but no possible remedies have been announced.
Disclosure of the flaw comes just two weeks after April's Patch Tuesday, where some ten vulnerabilities were patched as part of the monthly security update.