Skip to Content

A "Highly Critical" Flaw in Internet Explorer

Security experts warn users of Microsoft’s browser to exercise caution.
March 23, 2006

Security firm Secunia today disclosed a programming error in Microsoft’s Internet Explorer browser that could allow malicious hackers to take over users’ computers and destroy their hard drives or turn them into “zombie” spam mailers.

Microsoft says it is working on a patch that will close the security hole. But until it is ready, security experts are warning Internet Explorer users to use a different browser such as Firefox, or at least change Explorer’s settings to turn off a function called “active scripting.”

The vulnerability, which Secunia has classified as ”highly critical,” affects Internet Explorer 6.0 for Windows XP – the version already used by most owners of Windows PCs – as well as certain beta versions of Internet Explorer 5.5 and 7.0.

In geek speak, the problem lies in the way a program module in Internet Explorer called a DLL handles the JavaScript method “createTextRange()”. A Web page containing specially crafted HTML elements such as radio boxes and check boxes could use the “createTextRange()” instruction to cause a memory corruption error in the DLL, opening up the entire Windows operating system to remote takeover. Hackers could download and execute virus, worm, or spamming software, or even trigger commands that erase the user’s hard drive.

Scott Carpenter, security lab director at Secure Elements, a Herndon, VA, security firm that is tracking the vulnerability, puts that into English: “This new bug in Internet Explorer has the potential of being very bad. Someone is going to turn this into a virus, most probably through e-mail. So watch those spam links. If it looks too good to be true, it probably is. Be careful for a while, and if you have another browser such as Firefox you should probably use it.”

The bug is “new” only in the sense that it went undiscovered until recently. Researcher Andreas Sandblad at Secunia discovered the problem on February 10 and notified Microsoft on February 13, according to Secunia’s advisory on the vulnerability. As is standard procedure in the security business, Secunia kept the information secret while Microsoft assessed the vulnerability.

On March 22, however, an exploit for the vulnerability appeared on the Internet. Secunia discovered a message in a public mailing list pointing to a Web page that contained the exploit, which uses the DLL vulnerability to shut down Explorer. That prompted the company to go public with the information.

Engineers at Microsoft confirmed the vulnerability in a posting on the Microsoft Security Response Center blog, and said they would address it in a security update. Microsoft normally issues a collection of patches for Windows and other Microsoft programs on a monthly cycle. The next scheduled update is three weeks away. But the “createTextRange()” bug is so severe, says Carpenter, that ”my prediction is that Microsoft will issue an out-of-cycle patch for this.”

Until the patch arrives, Internet Explorer users can protect themselves simply by turning off “active scripting,” the browser feature that allows the execution of JavaScript programs inside Web pages. This page provided by the National Center for Atmospheric Research provides easy-to-follow instructions.

The exploit that emerged on March 22 was a “proof of concept” intended by its anonymous authors only to demonstrate that they had discovered, and learned to take advantage of, the memory corruption vulnerability. The exploit is not malicious – it merely shuts down Internet Explorer and, for good measure, launches the Windows Calculator accessory. But simply possessing knowledge of such a vulnerability in a major browser program can be the ticket to a big payoff, according to Carpenter.

“Money, money, and more money” is the reason for the persistence of a hacker underground that constantly searches for weak spots in Windows programs, Carpenter says. Spammers, for example, “will pay over $10,000 these days for an undisclosed vulnerability,” he says.

For more information:

Secunia Research Advisory

Secunia web page on ”createTextRange()” vulnerability

Secure Elements advisory to C5 EVM users

United States Computer Emergency Readiness Team Vulnerability Note VNU #876678

Microsoft Security Response Center Blog description of the exploit

Keep Reading

Most Popular

individual aging affects covid outcomes concept
individual aging affects covid outcomes concept

Anti-aging drugs are being tested as a way to treat covid

Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.

close up of baby with a bottle
close up of baby with a bottle

The baby formula shortage has birthed a shady online marketplace

Desperate parents just want to feed their babies. They’re having to contend with misinformation, price gouging, and scams along the way.

"Olive Garden" NFTs concept
"Olive Garden" NFTs concept

I tried to buy an Olive Garden NFT. All I got was heartburn.

Our newest issue spells out what you need to know about the dizzying world of digital money.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.