Microsoft IE Flaw Leaves Users in Quandary

Microsoft (Nasdaq: MSFT) has confirmed that a new vulnerability exists in its Internet Explorer Web browser. The flaw could allow an attacker to execute arbitrary code on a user's system.

The vulnerability affects IE 6.0 and Microsoft Windows XP Service Pack 2. Secunia has also confirmed the vulnerability exists in the January edition of IE7 Beta 2 Preview. Consumers who use the IE 7 Beta 2 Preview that was released on March 20 are not affected, Microsoft said.

The vulnerability is caused due to an error in the processing of the "createTextRange()" method call applied on a radio button control. A radio button is a form field that presents the user with a selection that can be chosen by clicking on a button.

Microsoft Speaks Out

"Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site," Microsoft said in its Security Advisory.

It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. In an e-mail based attack, customers would have to click a link to the malicious Web site or open an attachment that exploits the vulnerability.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, Microsoft said.

Mitigating the Risk

The security world is waiting to learn whether or not Microsoft will release an out-of-cycle patch for this flaw, which is rated as extremely critical. Analysts, however, do not expect a patch until at least the first Tuesday in April. It may even be longer.

"One of the issues with this type of vulnerability is that even though the recommendations are to turn off scripting when you are dealing with text handling vulnerabilities, it touches a lot of areas of the operating system," Mitchell Ashley, CTO and vice president of customer experience at StillSecure, told TechNewsWorld.

The downside of disabling scripting is the inability to access certain sites. The Windows Updates would not work if scripting is disabled, for example. That is why this is such a serious issue, Ashley noted.

Extremely Critical

With the widespread use of radio buttons on the Web, analysts said the number of Web sites at which this vulnerability could be exploited is large. StillSecure expects to see additional exploits identified in the coming weeks.

Since disabling scripting causes other issues and is difficult for end users to do on their own, Ashley said one of the easiest ways to mitigate the risk is to use an alternate browser.