Security experts have once again put Microsoft on alert with the disclosure of a new critical vulnerability in the Internet Explorer (IE) browser – marking the third IE flaw uncovered this week.
 |
| Source: SGnec |
The reason this vulnerability is rated as “Critical” is that it allows attackers to take control of the victim’s computer. The issue arises from how IE handles information through the createTextRange method. According to Computer Terrorism, by injecting malicious code into the browser, hackers can crash the system memory and trick the computer into launching destructive software.
Computer Terrorism did not disclose any sample code demonstrating how this vulnerability could be exploited, but they affirmed that this is a reliable “theoretical” flaw. Both IE6 and IE 7 beta 2 running on the Windows XP operating system are potentially affected.
According to the security firm Secunia, Microsoft is actively researching a patch for the vulnerability. Secunia has rated this flaw as “Highly Critical“.
Over the past week, Microsoft has received continuous alerts about two IE vulnerabilities, and it is expected that a security bulletin released on April 11 will include patches for these flaws. The first vulnerability discovered last Thursday is less dangerous but could cause IE to hang or crash. In contrast, the second vulnerability is categorized as “serious” because it allows hackers to gain control of the system.
The latest vulnerability appears to be the most serious of the three, as it can be exploited easily and without difficulty. Analysts are concerned that hackers will soon find ways to exploit this vulnerability based on the information already disclosed about createTextRange.
Yesterday, Microsoft confirmed that it is developing a security update for IE. “The software is currently undergoing testing and may be released as early as April.” However, a specific date has not yet been disclosed.
Thien Yi
