Microsoft has issued a pre-patch advisory with workarounds for a “highly critical” vulnerability that could put millions of Internet Explorer users at the mercy of malicious hackers. The advisory confirms the existence of a code execution hole that was discovered and publicly reported by Secunia. “When Internet Explorer displays a Web page that contains certain unexpected method calls to HTML objects, system memory may be corrupted in such a way that an attacker could execute arbitrary code,” the software maker said.
Secunia said in an alert that the vulnerability is due to an error in the processing of the “createTextRange()” method call applied on a radio button control. “This can be exploited by a malicious Web site to corrupt memory in a way that allows the program flow to be redirected to the heap,” Secunia said in the alert, warning that successful exploitation allows execution of arbitrary code whenever the target visits the rigged Web site. The vulnerability was confirmed on a fully patched system with IE 6.0 and Microsoft Windows XP SP2. It has also been confirmed in IE 7 Beta 2 Preview, Secunia said.
No comments:
Post a Comment