News Stay informed about the latest enterprise technology news and product updates.

Exploit code targets IE memory corruption flaw

Update: Security experts warn of proof-of-concept code for a memory corruption flaw in Internet Explorer. One firm recommends disabling Active Scripting, and explains how.

Updated Tuesday, Nov. 22, to include advisories from Microsoft, Symantec and the SANS Internet Storm Center.

Exploit code is now circulating for a memory corruption flaw in Internet Explorer (IE) that first came to light in May, security experts warned Monday. Malicious people could take advantage of the security hole by using specially crafted JavaScript code to launch an attack.

Cupertino, Calif.-based Symantec told customers of its DeepSight Threat Management System that the appearance of proof-of-concept code is one of the reasons why its ThreatCon remains at Level 2. The rating applies when "knowledge or the expectation of attack activity is present, without specific events occuring or when malicious code reaches a moderate risk rating."

The Bethesda, Md.-based SANS Internet Storm Center, meanwhile, has raised its alert status to yellow. The center typically does so to increase awareness when a new threat appears.

"A critical vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands," the French Security Incident Response Team (FrSIRT) said in an advisory. "This flaw is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to the JavaScript 'window()' object and the 'body onload' tag, which could be exploited by remote attackers to take complete control of an affected system by convincing a user to visit a malicious Web page."

Danish vulnerability clearinghouse Secunia first issued an advisory for the vulnerability May 31, saying certain objects aren't initialized correctly "when the 'window()' function is used in conjunction with the '' event." This could be exploited "to execute arbitrary code on a vulnerable browser via some specially crafted JavaScript code called directly when a site has been loaded," said the firm, which updated its advisory Monday to note the appearance of exploit code. The firm also raised the severity rating to "extremely critical."

Secunia confirmed the vulnerability on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2, and Internet Explorer 6.0 and Microsoft Windows 2000 SP4.

The firm recommended users protect themselves by disabling Active Scripting unless it's on a trusted site.

FrSIRT said users can do this by:

  • Starting Internet Explorer;
  • Clicking "Internet Options" under the Tools menu;
  • Clicking "Custom Level" on the Security tab;
  • Clicking "Disable" under Active scripting in the Settings box; and
  • Clicking OK.

Microsoft has issued an advisory on the flaw and exploit code, saying, "This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible."

The software giant added, "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.