In association with heise online

23 November 2009, 11:01

New critical vulnerability in Internet Explorer

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Last Friday, a posting entitled "IE7" and containing only a few uncommented lines of HTML code appeared on the BugTraq security mailing list. Several security firms have since confirmed that the code demonstrates a previously unknown security hole in Internet Explorer.

Zoom heise Security found Internet Explorer currently crashes when trying to access the exploit code
In first tests by heise Security, Internet Explorer crashed when trying to access the HTML page. Security firm Symantec confirms that, while the current zero day exploit is unreliable, more stable exploit code which will present a real threat is expected to appear in the near future. French security firm VUPEN managed to reproduce the security problem in Internet Explorer 6 and 7 on Windows XP SP3, warning that this allows attackers to inject arbitrary code and infect a system with malicious code. Microsoft has not yet commented on the problem.

The real identity of sender "" remains unknown, but the pseudonym has appeared in advisories and exploits across various areas since April 2009. The flaw appears to be triggered when calling the getElementsByTagName JavaScript method. This means that IE users can protect their systems by disabling the Active Scripting settings for the internet zone, although as a result, many web pages will no longer function. As the flaw can be traced to Microsoft's mshtml.dll library, it is unlikely that other browsers are affected


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit