A Dutch Web developer has discovered a vulnerability in Microsoft Corp.'s Internet Explorer 6 Web browser that could allow a PC to be taken over after a user is lured to a malicious Web site.
Microsoft has reproduced the vulnerability and is analyzing the problem, said Jeffrey Van der Stad, who has described the flaw briefly on his Web site.
The vulnerability lies in how IE 6 handles so-called HTAs, or HTML applications. Van der Stad found a way to execute HTAs without end-user approval. The vulnerability exists in IE 6 for Windows 98, Windows XP Pro, Windows XP Media Center Edition and Windows 2003 Server (Standard), he said.
Van der Stad plans to post proof-of-concept code on his Web site as soon as Microsoft issues a patch.
Microsoft was pleased that he contacted the company instead of publishing the exploit. Van der Stad has removed some of the problem's technical description from his Web site at Microsoft's request.
It's unknown when Microsoft will release a patch for the vulnerability.
"We have been trying to get this fix into the next IE release, but it's been a lot of work to do that as it's relatively late in the cycle. It looks like it will make it in though," Microsoft's security response team wrote in an e-mail to Van der Stad.
Microsoft Netherlands was unable to comment on the vulnerability, and Microsoft could not immediately be reached at its Redmond, Wash., headquarters.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
