On The Insider: Britney's Bikini-Clad Top 10
BNET Business Network:
BNET
TechRepublic
ZDNet
30 TalkBacks

By Joris Evers
Posted on ZDNet News: Mar 22, 2006 2:11:00 AM

Microsoft is investigating a security flaw that could let an attacker gain control over a vulnerable Windows computer, the company said Tuesday.

The flaw was reported to the company earlier this month by Jeffrey van der Stad, a 25-year-old Dutch programmer. The problem is related to the way the browser processes so-called HTA files, Microsoft said in an e-mailed statement. HTA files are associated with Web applications.

The vulnerability affects Internet Explorer 6 on Windows 98, Windows XP and Windows 2003 Server, according to van der Stad's Web site. "With this vulnerability it is possible to run an HTA file without the user's permission," he wrote.

Initially, van der Stad provided more details on his Web site, but he removed those at Microsoft's request, he wrote. A proof-of-concept exploit will be published when Microsoft issues a fix for the problem, he wrote.

Microsoft is investigating the issue, the company said. At this time, the company is not aware of any attacks attempting to use the reported vulnerability, it said.

Once it completes its inquiry, Microsoft said, it may issue a security advisory or provide a patch through its monthly release process. On his Web site, van der Stad wrote that Microsoft told him a fix is in the works.

On Wednesday, Microsoft said it is currently working on an update for IE that could be ready as soon as next month's patch day, April 11. "Microsoft will try to make the update as comprehensive as possible, but the update itself was already in development when Microsoft was made aware of these vulnerabilities so that may not be possible," a company representative said.

This is the second IE flaw within a week that Microsoft has said it is investigating and may issue a patch for. On Monday the company said it was looking into a bug that could cause the browser to crash.

Also on Wednesday, the Microsoft Security Response team on its blog said it is looking at a third IE big. The flaw has to do with the "createTextRange()" tag and could be exploited to gain control over a vulnerable PC, according to the blog posting.

"We're still investigating, but we have confirmed this vulnerability...We will address it in a security update," a Microsoft Security Response staffer wrote.

Microsoft offered a work-around, in the meantime.

"Our initial investigation has revealed that if you turn off active scripting, that will prevent the attack, as this requires script," according to a posting on Microsoft's blog.

The flaw affects fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2. The vulnerability also affects IE 7 Beta 2 Preview, according to an advisory issued by security researcher Secunia.

CNET News.com's Dawn Kawamoto contributed to this report.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 30 Talkback(s)
So what's new in Redmons/windows
It's the same-o same-o, too little too late.

If it had been done right the first time around they wouldn't have to do it over!

Sheesh!

s/Stan... (Read the rest)
Posted by: WSHBaker@... Posted on: 03/23/06 You are currently: a Guest | | Terms of Use
COLOR ME SHOCKED!  Counselor_Beep | 03/21/06
Again, not much surprise, but...  Tony Agudo | 03/21/06
Read the article on van der Stad's website  Scrat | 03/22/06
of course IE7 is safe  corticus | 03/22/06
Thanks for the update!  Tony Agudo | 03/22/06
Not Windows 2000?  rick752 | 03/21/06
I'm sure it does affect W2K...  PB_z | 03/22/06
Read the article on van der Stad's website  Scrat | 03/22/06
Calling George Ou  Letophoro | 03/21/06
I can't believe he hasn't chimed in yet...  tic swayback | 03/22/06
But it doesn't surprise me that you have!!  NonZealot | 03/22/06
Good to see you too  tic swayback | 03/22/06
Again with the feelings of self doubt?  NonZealot | 03/22/06
Very snide, NZ  tic swayback | 03/22/06
Oh gawd [rolling eyes] . . . here we go again  brian ansorge | 03/22/06
They call this news ?  I'm Ye, the MS SHILL . | 03/22/06
hey, leave me out of this  Monkey_MCSE | 03/22/06
I support the Mac so work is a word I rarely cross paths with:)  Laff | 03/22/06
I'm Through Preaching  cyberscan | 03/23/06
|o zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz  Mr. Roboto | 03/22/06
Let's see...  tslocum7 | 03/22/06
Better Late Than Never,It only Get's Better!!!  dotcom_z | 03/22/06
Ignorant hyperbole  cdgoldin | 03/22/06
This is the only part of the story that matters  NonZealot | 03/22/06
So close and yet so far...sigh.  Laff | 03/22/06
Fair enough Laff!  NonZealot | 03/22/06
Yes much better but quickly is subjective cause one  Laff | 03/22/06
Use IE 7  elliottxp | 03/22/06
And what do you know, Vista is "just around the corner"  michael_t | 03/22/06
So what's new in Redmons/windows  WSHBaker@... | 03/23/06

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More