Highly Critical IE Hole

Internet Explorer users are at the mercy of malicious hackers because of a hole, Microsoft confirmed exists in IE.  A pre-patch advisory with workarounds will be released shortly.  The code execution hole, discovered by Secunia Research of Copenhagen, Denmark, is due to an error in the processing of the “createTextRange()”.

This error can be exploited by malicious web sites to corrupt memory in a way that allows the program flow to be redirected to the heap, reported Secunia.  Successful exploitation allows execution of arbitrary code whenever the target visits the rigged Web site.

The MSRC (Microsoft Security Response Center) said that users of the new refresh of the IE7 Beta 2 Preview are not affected; however, vulnerability was confirmed with both IE 6.0 running Microsoft Windows XP SP2 and IE 7 Beta 2.  MSRC recommends IE users turn off Active Scripting until a patch is available, and further added that supported versions of Outlook and Outlook Express are not at risk from the e-mail vector since the script does not render in mail.

Internet Explorer users are at the mercy of malicious hackers because of a hole, Microsoft confirmed exists in IE.  A pre-patch advisory with workarounds will be released shortly.  The code execution hole, discovered by Secunia Research of Copenhagen, Denmark, is due to an error in the processing of the “createTextRange()”.

This error can be exploited by malicious web sites to corrupt memory in a way that allows the program flow to be redirected to the heap, reported Secunia.  Successful exploitation allows execution of arbitrary code whenever the target visits the rigged Web site.

The MSRC (Microsoft Security Response Center) said that users of the new refresh of the IE7 Beta 2 Preview are not affected; however, vulnerability was confirmed with both IE 6.0 running Microsoft Windows XP SP2 and IE 7 Beta 2.  MSRC recommends IE users turn off Active Scripting until a patch is available, and further added that supported versions of Outlook and Outlook Express are not at risk from the e-mail vector since the script does not render in mail.

Add a Comment

Your email address will not be published. Required fields are marked *