Barely two weeks after shipping an Internet Explorer security makeover to cover a wave of drive-by malware downloads, Microsoft is scrambling to address the public disclosure of a new zero-day vulnerability that could be used in code execution attacks. The Redmond, Wash. software maker confirmed it was investigating a warning posted on the Full-disclosure mailing list that the latest versions of IE causes various types of crashes when visiting Web pages with nested OBJECT tags.

A spokesman for Microsoft said the initial investigation has revealed that the bug would most likely result in the browser closing unexpectedly or failing to respond. "Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary."

View: The full story
News source: eWeek



There are 9 additional comments
Advertisement
Quote this comment Reply to this comment #1 Posted by b0m8er on 26 Apr 2006 - 09:38
What IE is affected? 6 SP2?
I hope IE7 beta 2 is fine..
(4 replies) Quote this comment Reply to this comment #2 Posted by carpediem on 26 Apr 2006 - 10:00
Firefox also got one
http://www.securident.com/vuln/ff.txt

Quote this comment #2.1 Posted by mrbester on 26 Apr 2006 - 12:14
Big difference being that the Mozilla dev will most likely sort it out in a few days, maybe less if it is a critical security problem, whereas Microsoft (as stated in the linked article) will do the usual round-the-houses fob-off until patch day next month. If then.
Quote this comment #2.2 Posted by markjensen on 26 Apr 2006 - 13:48
"http://www.securident.com/vuln/ffdos.htm"
The Proof of Concept explit link didn't do anything for me. Just opened a browswer to a page with a blank scrollable area, and a small-ish text box beneath it.

How old is that link, anyhow?
Quote this comment #2.3 Posted by Ned on 26 Apr 2006 - 15:29
It worked for me using 1.5.0.2

edit - hmm, it's fixed in the latest 1.5.0.3 build....

Of course, that build won't be officially released until when now?

Last edited by Ned on 26 Apr 2006 - 15:37
Quote this comment #2.4 Posted by pandr on 27 Apr 2006 - 11:23
There are 2 high critical flaws in Firefox 1.5.0.2:

this: http://www.securident.com/vuln/ff.txt
Result: Firefox Remote Code Execution and Denial of Service - Vendor contacted, no patch yet.

and this: https://bugzilla.mozilla.org/show_bug.cgi?id=334341
Mozilla Firefox 1.5.0.2 allows user-complicit remote attackers to open local files via a web page with an IMG element containing a SRC attribute with a non-image file:// URL, then tricking the user into selecting View Image for the broken image, as demonstrated using a ,wma file to launch Windows Media Player, or by referencing an "alternate web page."
Quote this comment Reply to this comment #3 Posted by mircleman on 26 Apr 2006 - 12:00
god microsoft scrambling AGAIN and people still defend them whens enough , enough.
Quote this comment Reply to this comment #4 Posted by Mohsin Naqi on 26 Apr 2006 - 14:31
Hole in an a$$.. what's the big deal?
Quote this comment Reply to this comment #5 Posted by ahhell on 26 Apr 2006 - 15:44
*yawn*

Sounds like antiMicrosoft-fanboyism to me.
[1]

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.


Scroll to the Top
....
My Preferences
....
Communicating with server
Loading
Please Wait...
....
Loading
 X 
....