Microsoft is readying an update to IE (Internet Explorer) following the recent discovery of two unpatched IE vulnerabilities, including one bug that could allow attackers to seize control of a victim's PC.
"We're working on an update to IE. That update is currently in our testing process and could come out as early as April," said Stephen Toulouse, a security program manager with Microsoft's security response center. "However, there's no firm date."
The more significant of the two vulnerabilities was discovered earlier this month by web developer Jeffrey van der Stad. He claims to have discovered a way for attackers to trick IE into executing HTA (HTML application) files without the user's permission. HTA is a Microsoft-created format that is used to create HTML-based apps.
Victims could have their systems compromised by visiting a website that contained the malicious code, van der Stad said. "With a specially designed website, it is possible to execute such a file without any prompt," he said.
Van der Stad has not published technical details of his bug, but Microsoft has been able to reproduce the problem and is hoping to have it patched in its next IE release, he said.
A bug that let attackers launch unauthorised HTML applications could be exploited to seize control of a Windows system, according to Russ Cooper, a senior information security analyst at Cybertrust. "Just think of it as an executable," he said.
Still, Cooper believes that because of the difficulties involved in first tricking users into visiting a malicious website, it is unlikely that this bug will ever be exploited in a widespread fashion. "You need a website, and it needs to stay up, or you have to keep changing it, which means changing the [malicious link] to it you sent everyone," he said.
Toulouse would not comment on whether Microsoft considered the bug to be severe, saying that this information would "put customers at risk by providing attackers with information before the update is available".
He also did not say whether he expected this problem to be patched during the company's next group of security updates, scheduled for 11 April.
However, Microsoft has confirmed that it is investigating a separate IE vulnerability that could cause its browser to crash. Code that takes advantage of this vulnerability has already been published on the internet. But because the bug does not appear to cause anything worse than a browser crash, it is not considered to be critical, according to security vendors.
Microsoft has confirmed that this bug can crash IE, the company said in a note published yesterday.
Van der Stad's comments on the bug he discovered, which he calls Grasshopper, can be found here.