Security experts have once again “gifted” Microsoft with a serious vulnerability in the Internet Explorer (IE) browser – marking the third IE flaw uncovered this week.
 |
| Source: SGnec |
The reason this vulnerability is classified as “Critical” is that it allows attackers to gain control of the victim’s computer. The issue arises from how IE processes information using the createTextRange method. According to Computer Terrorism, by injecting malicious code into the browser, hackers can crash the system’s memory and trick the computer into launching harmful software.
Computer Terrorism did not disclose a sample code demonstrating how this vulnerability could be exploited but asserted that it is a reliable “theoretical” flaw. Both IE6 and the beta version of IE7 running on Windows XP are potentially affected.
According to security firm Secunia, Microsoft is actively researching a patch for the vulnerability. Secunia itself rates this flaw as “Highly Critical“.
In the past week, Microsoft has received consecutive alerts regarding two IE vulnerabilities and plans to release a patch for these issues in the upcoming security bulletin on April 11. The first vulnerability, detected last Thursday, is less dangerous but can cause IE to freeze or crash. Meanwhile, the second vulnerability is classified as “serious” since it allows hackers to gain control over the system.
It appears that the latest vulnerability is also the most serious among the three, as it can be easily exploited without much difficulty. Analysts are concerned that hackers will soon find ways to take advantage of this vulnerability based on the information already published about createTextRange.
Yesterday, Microsoft confirmed that it is working on a security update for IE. “The software is currently undergoing testing and is expected to be released sometime in April.” However, the exact date has not yet been disclosed.
Thien Yi
