The Microsoft Internet Explorer team have confirmed a serious bug that can crash IE when users visit affected websites.
The problem relates to the way the browser handles the createTextRange() function and affects all versions (IE6.x XP SP2 fully patched, IE7 beta). The bug was disclosed publicly last weekend before Microsoft were able to patch the problem.
Lennart from the MSRC blog advised " Our initial investigation has revealed that if you turn off Active Scripting, that will prevent the attack as this requires script. Customers who use supported versions of Outlook or Outlook Express aren’t at risk from the email vector since script doesn’t render in mail (being read in the restricted sites zone)." He said a security advisory would be released in the coming days.
A Microsoft official recently chided Apple for their lack of a public Security Czar, and was (rightly) criticized for hypocrisy. However, Microsoft, for all their faults (and bugs) do appear to be making better efforts to publicize problems and deal with them in a timely matter. As Blogger in Chief Robert Scoble would say, blogs are about conversations - and it's good to see the security team, arguably one of the most important at Microsoft, getting more involved with their customers.
View: Microsoft Security Response Center Blog
The problem relates to the way the browser handles the createTextRange() function and affects all versions (IE6.x XP SP2 fully patched, IE7 beta). The bug was disclosed publicly last weekend before Microsoft were able to patch the problem.
Lennart from the MSRC blog advised " Our initial investigation has revealed that if you turn off Active Scripting, that will prevent the attack as this requires script. Customers who use supported versions of Outlook or Outlook Express aren’t at risk from the email vector since script doesn’t render in mail (being read in the restricted sites zone)." He said a security advisory would be released in the coming days.
A Microsoft official recently chided Apple for their lack of a public Security Czar, and was (rightly) criticized for hypocrisy. However, Microsoft, for all their faults (and bugs) do appear to be making better efforts to publicize problems and deal with them in a timely matter. As Blogger in Chief Robert Scoble would say, blogs are about conversations - and it's good to see the security team, arguably one of the most important at Microsoft, getting more involved with their customers.
View: Microsoft Security Response Center Blog
btw, hypocrisy is spelled wrong.
http://blogs.technet.com/msrc/default.aspx
If you're using the new refresh of the IE7 Beta 2 Preview announced at Mix06, then you are not affected by the public report. You can download the preview at " target="_blank">http://www.microsoft.com/windows/ie/ie7/default.msp
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.