Exploit code is now circulating for the so-called createTextRange flaw in Internet Explorer (IE), prompting Microsoft to issue an advisory and security experts to issue sober warnings about the potential impact.
"The irresponsibility of releasing such a dangerous exploit will require systems administrators to take drastic action to protect their systems," Scott Carpenter, director of security labs at Herndon, Va.-based Secure Elements Inc., said in an e-mailed statement. "When vulnerable home systems are added into the equation, Internet Explorer users can expect a virus or worm in the very near future. The most probable vector for this worm will be in the form of spam with malicious links that will tempt users into clicking on a link that takes them to a malicious Web site."
The Bethesda, Md.-based SANS Internet Storm Center (ISC) raised its Infocon to yellow because of the appearance of exploit code, saying the code is a "relatively trivial" model that can be tweaked into something more destructive.
The latest flaw was discovered by Danish vulnerability clearinghouse Secunia. In an advisory, the company described the latest problem as an error in how the "createTextRange()" method is processed on a radio button control. "This can be exploited by a malicious Web site to corrupt memory in a way [that] allows the program flow to be redirected to the heap," Secunia said. "Successful exploitation allows execution of arbitrary code."
Secunia said the vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
A Microsoft spokesman sought to calm fears about the flaw while also acknowledging its potential as an attack vector.
"Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site," he said in an e-mail. "Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site."
The software giant's advisory added, "Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This will either take the form of a security update through our monthly release process or providing an out-of-cycle security update."
Meantime, Microsoft said users can protect themselves by configuring IE to prompt before running Active Scripting or by disabling Active Scripting in the Internet and local intranet security zone. Users can also set Internet and local intranet security zone settings to "High" to prompt before running Active Scripting in these zones.
Earlier this week, Microsoft confirmed it was looking into two other flaws. One problem revolves around HTA files, HTML applications that are given higher levels of trust and access to a local system than remote Web pages typically receive. The browser is reportedly vulnerable to attacks where malicious HTA files are embedded in certain Web sites or e-mails. Attackers could exploit this to launch malicious code. The other flaw is an array boundary error in the handling of HTML tags with multiple event handlers. This can be exploited to cause a denial of service.