UPDATED: A security research firm is warning that all versions of Microsoft’s Internet Explorer are at risk from a vulnerability that could trigger a denial of service attack on end-users.
According to Determina, the vulnerabilities in Internet Explorer alleged by Determina could potentially have a wide spread impact since they affect all versions of IE on Windows 2000, XP, 2003 and Vista including the latest IE 7.
The problem lies in a number of ActiveX controls, which according to Determina’s advisory,”crash with an invalid memory access exception when certain object properties are accessed through JavaScript. “The vulnerable ActiveX controls are located in MSHTML.DLL file, which is included in all versions of IE. All a user needs to do is visit a Web page that incorporates the malicious ActiveX components which in turn will cause the browser to crash.”
The firm said it advised Microsoft of the issue more than a week ago. A Microsoft spokesperson was not immediately available for comment.
Determina has posted proof of concept code on its site for the alleged vulnerability, which internetnews.com has verified works on a fully patched Windows XP SP2 machine running IE 7.
The proof of concept is so basic that all it does to trigger the crash in IE is very simple script that looks very innocuous on the surface. In fact it can be triggered with background color or link color code attributes.
Determina noted in its advisory that it contacted Microsoft about the issue on January 16th and received a reply back on January 22nd. Determina cited a Microsoft e-mail response about the issue that stated: “We have confirmed that this issue can be used to cause the instance of Internet Explorer to exit when viewing the specially crafted Web page.” The issue however cannot execute arbitrary code and can only crash the browser. As such Microsoft’s note to Determina indicates that they will treat the issue as a ‘stability’ issue. To date Microsoft has not patched the issue.
But Determina Security Researcher Alexander Sotirov helped clarify the nature of the risk, and put it in context. “We’ve been working with Microsoft on this bug for the past week,” he told internetnews.com. “We reported it to them privately, they investigated it and concluded that it is a stability rather than a security issue, since it cannot be used to do anything beyond causing the browser to exit.” In fact, Sotirov added, Determina agrees with Microsoft’s assessment of the bug. “I think that this issue is something that their QA should have discovered before the release of the browser, but it’s not something that’s worth fixing in a security update at this point,” Sotirov said.
Crash conditions that can be remotely triggered by a malicious Web site are often considered to be denial of service attacks since the triggered crash effectively denies service to legitimate users.
The IE issue is the second zero day issue in recent days to afflict Microsoft, on the same day that it is holding events in celebration of its launch of Windows Vista. Microsoft said it is currently looking into an issue with Word 2000 that has been tagged as highly critical.