Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Yet Another Zero-day Smacks IE

Microsoft's Internet Explorer, which was just patched with 10 fixes two weeks ago, suffers from yet another zero-day vulnerability that can be exploited remotely, security firm Symantec said Monday.

In an alert to customers of its DeepSight threat system, Symantec cited a vulnerability first posted to the Bugtraq security mailing list by researcher Michal Zalewski, who notes that IE is prone to memory corruption because of the way it handles malformed HTML.

HTML content that contains nested

tags without the corresponding

closure tags, said Symantec's alert, can trigger the bug.

"An attacker could exploit this issue via a malicious web page to potentially execute arbitrary code in the context of the currently logged-in user," said the advisory. "If the attack is successful, the executable content will be executed. Failed exploit attempts will likely crash the affected application."

A fully-patched version of IE 6 for Windows XP SP2 -- the most-secure production version of Microsoft's browser -- is open to the attack.

  • 1