New IE 6.0 Bug Spotted, No Fix

Microsoft's Internet Explorer 6.0 has an "extremely critical" flaw that doesn't yet have a fix, a Danish security firm warned users Wednesday.

According to an alert posted by Secunia, up-to-date and fully-patched versions of IE 6.0 in both Windows XP (up through Service Pack 1) and Windows 2000 are vulnerable to attack through the IFRAME HTML tag.

Malicious Web pages that include specially-crafted HTML can cause a buffer overflow on the target machine, then gain control of the system and introduce other code, such as a Trojan horse. A working exploit has been published to public mailing lists, said Secunia.

"The vulnerability has been confirmed in Internet Explorer 6.0 on Windows XP SP1 [and] Internet Explorer 6.0 on Windows 2000," said the Secunia advisory.

IE 6.0 running on a Windows XP SP2 (Service Pack 2) PC, however, is safe from such attack.Secunia recommended that IE 6.0 users not running SP2 switch to another browser until a patch is released by Microsoft.

In related news, Microsoft on Tuesday quietly posted a fix for a bug in Internet Explorer for Windows XP SP2. Web pages that render vector graphics (as opposed to the much more common bit-mapped images like JPEG and GIF files) can crash or lock up IE 6.0 running in the latest update to Windows XP.

The fix can be downloaded from Microsoft's Web site.