A "Highly Critical" Flaw in Internet Explorer
Security experts warn users of Microsoft’s browser to exercise caution.
Security firm Secunia today disclosed a programming error in Microsoft’s Internet Explorer browser that could allow malicious hackers to take over users’ computers and destroy their hard drives or turn them into “zombie” spam mailers.
Microsoft says it is working on a patch that will close the security hole. But until it is ready, security experts are warning Internet Explorer users to use a different browser such as Firefox, or at least change Explorer’s settings to turn off a function called “active scripting.”
The vulnerability, which Secunia has classified as ”highly critical,” affects Internet Explorer 6.0 for Windows XP – the version already used by most owners of Windows PCs – as well as certain beta versions of Internet Explorer 5.5 and 7.0.
This story is only available to subscribers.
Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.
Subscribe now
Already a subscriber?
Sign in
In geek speak, the problem lies in the way a program module in Internet Explorer called a DLL handles the JavaScript method “createTextRange()”. A Web page containing specially crafted HTML elements such as radio boxes and check boxes could use the “createTextRange()” instruction to cause a memory corruption error in the DLL, opening up the entire Windows operating system to remote takeover. Hackers could download and execute virus, worm, or spamming software, or even trigger commands that erase the user’s hard drive.
Scott Carpenter, security lab director at Secure Elements, a Herndon, VA, security firm that is tracking the vulnerability, puts that into English: “This new bug in Internet Explorer has the potential of being very bad. Someone is going to turn this into a virus, most probably through e-mail. So watch those spam links. If it looks too good to be true, it probably is. Be careful for a while, and if you have another browser such as Firefox you should probably use it.”
The bug is “new” only in the sense that it went undiscovered until recently. Researcher Andreas Sandblad at Secunia discovered the problem on February 10 and notified Microsoft on February 13, according to Secunia’s advisory on the vulnerability. As is standard procedure in the security business, Secunia kept the information secret while Microsoft assessed the vulnerability.
On March 22, however, an exploit for the vulnerability appeared on the Internet. Secunia discovered a message in a public mailing list pointing to a Web page that contained the exploit, which uses the DLL vulnerability to shut down Explorer. That prompted the company to go public with the information.
Engineers at Microsoft confirmed the vulnerability in a posting on the Microsoft Security Response Center blog, and said they would address it in a security update. Microsoft normally issues a collection of patches for Windows and other Microsoft programs on a monthly cycle. The next scheduled update is three weeks away. But the “createTextRange()” bug is so severe, says Carpenter, that ”my prediction is that Microsoft will issue an out-of-cycle patch for this.”
Until the patch arrives, Internet Explorer users can protect themselves simply by turning off “active scripting,” the browser feature that allows the execution of JavaScript programs inside Web pages. This page provided by the National Center for Atmospheric Research provides easy-to-follow instructions.
The exploit that emerged on March 22 was a “proof of concept” intended by its anonymous authors only to demonstrate that they had discovered, and learned to take advantage of, the memory corruption vulnerability. The exploit is not malicious – it merely shuts down Internet Explorer and, for good measure, launches the Windows Calculator accessory. But simply possessing knowledge of such a vulnerability in a major browser program can be the ticket to a big payoff, according to Carpenter.
“Money, money, and more money” is the reason for the persistence of a hacker underground that constantly searches for weak spots in Windows programs, Carpenter says. Spammers, for example, “will pay over $10,000 these days for an undisclosed vulnerability,” he says.
For more information:
Secunia Research Advisory
Secunia web page on ”createTextRange()” vulnerability
Secure Elements advisory to C5 EVM users
United States Computer Emergency Readiness Team Vulnerability Note VNU #876678
Microsoft Security Response Center Blog
Milw0rm.com description of the exploit
