On March 17th, security firms warned users about a serious new vulnerability in Internet Explorer that could cause the browser to crash if attacked.
The previously unknown and unpatched security flaw arises in the “mshtml” library when a malicious HTML tag is combined with an unusually large number of script handler objects introduced into the browser. Consequently, a malicious attacker could completely disable the browser by causing a buffer overflow.
Researcher Michal Zalewski was the first to describe this security flaw through the Bugtraq security mailing list. Additionally, Michal released a code snippet that could crash Internet Explorer on systems patched against all vulnerabilities on Windows XP Service Pack 2.
Symantec also warned customers within its DeepSight network that employees had tested and confirmed Michal’s code as capable of crashing Internet Explorer in certain scenarios.
On the same day, security firm McAfee released an updated virus definition file capable of detecting attack codes targeting Internet Explorer, similar to Michal’s code.
It can be said that Internet Explorer is highly susceptible to being “taken down” through this new security vulnerability if users access a malicious website, simply because this vulnerability can be exploited using a single “malicious” HTML tag.
However, Symantec also cautioned that this security vulnerability could be even more serious than currently understood. “We need to conduct detailed research into the exploitation methods of this security flaw to determine if it can be exploited through the execution of malicious code.”
If it turns out that this security vulnerability can indeed be exploited through the execution of malicious code, Internet Explorer will face a completely new threat of dangerous attacks.
Currently, there are no solutions or patches available for this security vulnerability. Microsoft has not announced any plans regarding this issue.
“Until we have more detailed information about this security vulnerability, users should exercise caution when browsing the web and limit their access to trusted websites,” Symantec warns.
Meanwhile, Michal noted that other browsers such as Firefox and Opera are not affected by this vulnerability and advised users to consider using alternative browsers instead of Internet Explorer.
