A buffer overflow vulnerability in certain versions of Microsoft Internet Explorer leaves the Web browser open to infection from viruses, worms and other malicious code.
Outsiders exploiting the vulnerability would be able to execute code of their choice on a computer running unpatched versions of IE 5.01, 5.5 or 6.0 if the user visits a rogue Web site or previews or opens an infected HTML e-mail.
The flaw is in the way Internet Explorer parses embedded HTML tags to support multi-media components and to launch external programs, said Dan Ingevaldson, team leader of Internet Security Systems' X-Force research and development. The parsing routine could allow malicious code to be executed.
ISS and CERT issued separate alerts for the vulnerability Monday night.
The problem lies in the manner in which the browser handles the "EMBED" HTML tag, which allows for real-time content such as audio files or ActiveX controls. An attacker could create code using the "src" attribute that causes a buffer overflow that compromises systems. The "src" attribute specifies the location of a file and is not handled properly by IE, ISS said.
Beside affecting Internet Explorer, the flaw may also be found in Outlook, Outlook Express and other applications that use Microsoft's HTML rendering engine, ISS and CERT said. A group of Russian researchers, SECURITY.NNOV, discovered the flaw.
So far, it's believed no worm or virus has been created to take advantage of the vulnerability, ISS said.
"These sorts of things take a while as it did in the case of Code Red and Nimda. It probably takes a month to a few months for malicious code to be written (that exploits such vulnerabilities)," Ingevaldson said.
But the vulnerability is potentially quite dangerous, Ingevaldson said. Essentially, an attacker could gain control of the system by exploiting the vulnerability. The threat of e-mail based attack is probably more dangerous as an infected message appears as a normal e-mail without an attachment. When opened (or viewed through the preview pane), it can infect the machine without the user knowing, he said.
By contrast, one would need to visit a rogue site in order to become infected while Web surfing, Ingevaldson said.
A few weeks ago, Microsoft released a patch that addresses the flaw in Internet Explorer and several other security issues. Users of products that use Microsoft's rendering engine should contact their vendors to see if they are offering patches.
Users should also examine the default security settings on their browsers, which often change from release to release, Ingevaldson said. Disabling the ActiveX controls and plug-in functions of the browser is a good practice to perform any way, though some Web sites may not render correctly, he said.