Skip to Content

A "Highly Critical" Flaw in Internet Explorer

Security experts warn users of Microsoft’s browser to exercise caution.
March 23, 2006

Security firm Secunia today disclosed a programming error in Microsoft’s Internet Explorer browser that could allow malicious hackers to take over users’ computers and destroy their hard drives or turn them into “zombie” spam mailers.

Microsoft says it is working on a patch that will close the security hole. But until it is ready, security experts are warning Internet Explorer users to use a different browser such as Firefox, or at least change Explorer’s settings to turn off a function called “active scripting.”

The vulnerability, which Secunia has classified as ”highly critical,” affects Internet Explorer 6.0 for Windows XP – the version already used by most owners of Windows PCs – as well as certain beta versions of Internet Explorer 5.5 and 7.0.

In geek speak, the problem lies in the way a program module in Internet Explorer called a DLL handles the JavaScript method “createTextRange()”. A Web page containing specially crafted HTML elements such as radio boxes and check boxes could use the “createTextRange()” instruction to cause a memory corruption error in the DLL, opening up the entire Windows operating system to remote takeover. Hackers could download and execute virus, worm, or spamming software, or even trigger commands that erase the user’s hard drive.

Scott Carpenter, security lab director at Secure Elements, a Herndon, VA, security firm that is tracking the vulnerability, puts that into English: “This new bug in Internet Explorer has the potential of being very bad. Someone is going to turn this into a virus, most probably through e-mail. So watch those spam links. If it looks too good to be true, it probably is. Be careful for a while, and if you have another browser such as Firefox you should probably use it.”

The bug is “new” only in the sense that it went undiscovered until recently. Researcher Andreas Sandblad at Secunia discovered the problem on February 10 and notified Microsoft on February 13, according to Secunia’s advisory on the vulnerability. As is standard procedure in the security business, Secunia kept the information secret while Microsoft assessed the vulnerability.

On March 22, however, an exploit for the vulnerability appeared on the Internet. Secunia discovered a message in a public mailing list pointing to a Web page that contained the exploit, which uses the DLL vulnerability to shut down Explorer. That prompted the company to go public with the information.

Engineers at Microsoft confirmed the vulnerability in a posting on the Microsoft Security Response Center blog, and said they would address it in a security update. Microsoft normally issues a collection of patches for Windows and other Microsoft programs on a monthly cycle. The next scheduled update is three weeks away. But the “createTextRange()” bug is so severe, says Carpenter, that ”my prediction is that Microsoft will issue an out-of-cycle patch for this.”

Until the patch arrives, Internet Explorer users can protect themselves simply by turning off “active scripting,” the browser feature that allows the execution of JavaScript programs inside Web pages. This page provided by the National Center for Atmospheric Research provides easy-to-follow instructions.

The exploit that emerged on March 22 was a “proof of concept” intended by its anonymous authors only to demonstrate that they had discovered, and learned to take advantage of, the memory corruption vulnerability. The exploit is not malicious – it merely shuts down Internet Explorer and, for good measure, launches the Windows Calculator accessory. But simply possessing knowledge of such a vulnerability in a major browser program can be the ticket to a big payoff, according to Carpenter.

“Money, money, and more money” is the reason for the persistence of a hacker underground that constantly searches for weak spots in Windows programs, Carpenter says. Spammers, for example, “will pay over $10,000 these days for an undisclosed vulnerability,” he says.

For more information:

Secunia Research Advisory

Secunia web page on ”createTextRange()” vulnerability

Secure Elements advisory to C5 EVM users

United States Computer Emergency Readiness Team Vulnerability Note VNU #876678

Microsoft Security Response Center Blog description of the exploit

Deep Dive


Our best illustrations of 2022

Our artists’ thought-provoking, playful creations bring our stories to life, often saying more with an image than words ever could.

How CRISPR is making farmed animals bigger, stronger, and healthier

These gene-edited fish, pigs, and other animals could soon be on the menu.

The Download: the Saudi sci-fi megacity, and sleeping babies’ brains

This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology. These exclusive satellite images show Saudi Arabia’s sci-fi megacity is well underway In early 2021, Crown Prince Mohammed bin Salman of Saudi Arabia announced The Line: a “civilizational revolution” that would house up…

10 Breakthrough Technologies 2023

Every year, we pick the 10 technologies that matter the most right now. We look for advances that will have a big impact on our lives and break down why they matter.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.