We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
 
74,953 News Articles

IE bug 'puts patched Windows systems at risk'

Microsoft investigates flaws

Microsoft is investigating a zero-day flaw in IE (Internet Explorer) that could put fully patched Windows systems at risk of takeover. Less serious bugs have also been reported in the Firefox and Safari browsers.

The IE bug, discovered by Michael Zalewski and posted on the full-disclosure mailing list on Sunday, could allow attackers to take over a system, Zalewski said.

"Perhaps not surprisingly, there appears to be a vulnerability in how Microsoft Internet Explorer handles (or fails to handle) certain combinations of nested Object tags," Zalewski wrote. "At first sight, this vulnerability may offer a remote compromise vector, although not necessarily a reliable one… As such, panic – but only slightly."

Danish security firm Secunia, which maintains a vulnerability database, flagged the bug as 'highly critical', noting that "successful exploitation allows execution of arbitrary code". The bug has been confirmed on fully patched Windows systems with IE 6.0 and Windows XP SP2, but other versions may be affected, Secunia said.

France's FrSIRT also gave the bug a 'critical' rating. "This flaw is due to a memory corruption error when processing a specially crafted HTML script that contains malformed 'object' tags, which could be exploited by attackers to remotely take complete control of an affected system by convincing a user to visit a specially crafted web page," the company said.

Microsoft said it is investigating the report, but downplayed its significance, saying its investigations so far have shown that the bug is only likely to cause IE to crash.

No proof-of-concept code has been published to date, according to researchers.

Secunia reported a bug in Firefox caused by an error in the handling of "focus()" JavaScript calls, which can cause a system crash. This flaw is not serious, the company said.

The bug in Safari, also non-critical, is due to a problem in processing some "td" HTML tags, Secunia said. "This can be exploited to consume a large amount of CPU and memory resources on a vulnerable system by tricking a user into visiting a malicious website," Secunia said in an advisory.

Both the Firefox and Safari bugs are as yet unpatched.

This story first appeared on Techworld.com.


IDG UK Sites

Samsung Galaxy Note 4 release date, price and specs 2014

IDG UK Sites

iOS 8 features wishlist: the changes iPhone and iPad users want in Apple's iOS 8

IDG UK Sites

25 Years of the World Wide Web: Happy Birthday, Intenet

IDG UK Sites

Developers get access to more Sony camera features