Computerworld - Security researchers have discovered a bug in Microsoft Corp.'s Internet Explorer browser that can cause the software to crash and that could possibly be used to let an attacker run unauthorized software on the user's machine.
The bug, which was first discovered by researchers at Austrian security consulting firm SEC Consult Unternehmensberatung GmbH and reported to Microsoft several weeks ago, concerns the way Internet Explorer handles certain software modules.
Microsoft has confirmed that the bug exists and is investigating the matter, said spokeswoman Kjersti Gunderson. The company is not aware of any attacks that have exploited this vulnerability, she added.
By loading HTML pages that make use of certain ActiveX components, researchers were able to overwrite registers on the computer's processor, said Martin Eisner, chief technical officer at SEC Consult. This technique could theoretically be used to fill parts of the computer's memory with malicious code, creating what is called a "heap-based buffer overflow," he said.
"It's possible to crash Internet Explorer," Eisner said. "Executing arbitrary code might be possible; we could not confirm that now."
Eisner expects Microsoft to patch the bug within a few weeks. "Right now it's not that dangerous," he said. "But of course within a couple of weeks there will be somebody who has a little bit more time than we have and there will be an exploit then."
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
