Skip to Content
Uncategorized

A "Highly Critical" Flaw in Internet Explorer

Security experts warn users of Microsoft’s browser to exercise caution.
March 23, 2006

Security firm Secunia today disclosed a programming error in Microsoft’s Internet Explorer browser that could allow malicious hackers to take over users’ computers and destroy their hard drives or turn them into “zombie” spam mailers.

Microsoft says it is working on a patch that will close the security hole. But until it is ready, security experts are warning Internet Explorer users to use a different browser such as Firefox, or at least change Explorer’s settings to turn off a function called “active scripting.”

The vulnerability, which Secunia has classified as ”highly critical,” affects Internet Explorer 6.0 for Windows XP – the version already used by most owners of Windows PCs – as well as certain beta versions of Internet Explorer 5.5 and 7.0.

In geek speak, the problem lies in the way a program module in Internet Explorer called a DLL handles the JavaScript method “createTextRange()”. A Web page containing specially crafted HTML elements such as radio boxes and check boxes could use the “createTextRange()” instruction to cause a memory corruption error in the DLL, opening up the entire Windows operating system to remote takeover. Hackers could download and execute virus, worm, or spamming software, or even trigger commands that erase the user’s hard drive.

Scott Carpenter, security lab director at Secure Elements, a Herndon, VA, security firm that is tracking the vulnerability, puts that into English: “This new bug in Internet Explorer has the potential of being very bad. Someone is going to turn this into a virus, most probably through e-mail. So watch those spam links. If it looks too good to be true, it probably is. Be careful for a while, and if you have another browser such as Firefox you should probably use it.”

The bug is “new” only in the sense that it went undiscovered until recently. Researcher Andreas Sandblad at Secunia discovered the problem on February 10 and notified Microsoft on February 13, according to Secunia’s advisory on the vulnerability. As is standard procedure in the security business, Secunia kept the information secret while Microsoft assessed the vulnerability.

On March 22, however, an exploit for the vulnerability appeared on the Internet. Secunia discovered a message in a public mailing list pointing to a Web page that contained the exploit, which uses the DLL vulnerability to shut down Explorer. That prompted the company to go public with the information.

Engineers at Microsoft confirmed the vulnerability in a posting on the Microsoft Security Response Center blog, and said they would address it in a security update. Microsoft normally issues a collection of patches for Windows and other Microsoft programs on a monthly cycle. The next scheduled update is three weeks away. But the “createTextRange()” bug is so severe, says Carpenter, that ”my prediction is that Microsoft will issue an out-of-cycle patch for this.”

Until the patch arrives, Internet Explorer users can protect themselves simply by turning off “active scripting,” the browser feature that allows the execution of JavaScript programs inside Web pages. This page provided by the National Center for Atmospheric Research provides easy-to-follow instructions.

The exploit that emerged on March 22 was a “proof of concept” intended by its anonymous authors only to demonstrate that they had discovered, and learned to take advantage of, the memory corruption vulnerability. The exploit is not malicious – it merely shuts down Internet Explorer and, for good measure, launches the Windows Calculator accessory. But simply possessing knowledge of such a vulnerability in a major browser program can be the ticket to a big payoff, according to Carpenter.

“Money, money, and more money” is the reason for the persistence of a hacker underground that constantly searches for weak spots in Windows programs, Carpenter says. Spammers, for example, “will pay over $10,000 these days for an undisclosed vulnerability,” he says.

For more information:

Secunia Research Advisory

Secunia web page on ”createTextRange()” vulnerability

Secure Elements advisory to C5 EVM users

United States Computer Emergency Readiness Team Vulnerability Note VNU #876678

Microsoft Security Response Center Blog

Milw0rm.com description of the exploit

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.