In an advisory on Monday, security firm Secunia announced that a new vulnerability has been detected in Internet Explorer that can result in the crashing of the browser, when a user visits a malicious website. Security researcher Michal Zalewski discovered the flaw last week and thereafter was posted to a well-known security mailing list.
In the e-mail Michal Zalewski wrote, “This might not come as a surprise, but there appears to be a *very* interesting and apparently very much exploitable overflow in Microsoft Internet Explorer.”
“This might not come as a surprise, but there appears to be a *very* interesting and apparently very much exploitable overflow in Microsoft Internet Explorer,” Zalewski wrote in the e-mail.
The problem is caused by an array boundary error in the handling of HTML tags with multiple event handlers. The issue can be exploited to cause Internet Explorer 6 to crash through a specially designed HTML tag with 94 or more event handlers.
Secunia has given the flaw a “not critical,” rating, its lowest severity rating, and recommended those concerned to keep away from deceiving websites until the problem is addressed. As for now, the problem has been confirmed to exist on a fully patched systems running Internet Explorer 6 with Windows XP Service Pack 2.
Microsoft said it was aware of the vulnerability and was investigating. A spokesperson said, “At this time, we are not aware of any attacks attempting to use the reported vulnerability.”
It has not yet been revealed whether Microsoft will be offering a patch for the vulnerability as part of its monthly Patch Tuesday updates, or issue an special update if it feels it is essential.