Security researchers have discovered a bug in Microsoft's Internet Explorer browser that can cause the software to crash, and which could possibly be used to let an attacker run unauthorized software on the IE user's machine.
The bug, which was first discovered by researchers at Austrian security consulting firm SEC Consult Unternehmensberatung and reported to Microsoft several weeks ago, concerns the way IE handles certain software modules.
By loading HTML pages that make use of certain ActiveX components, researchers were able to overwrite registers on the computer's processor, says Martin Eisner, chief technical officer with SEC Consult.
Malicious Code
This technique could theoretically be used to fill parts of the computer's memory with malicious code, creating what is called a "heap-based buffer overflow," he says.
"It's possible to crash Internet Explorer," Eisner says. "Executing arbitrary code might be possible; we could not confirm that now."
Microsoft has confirmed that the bug exists and is investigating the matter, says spokesperson Kjersti Gunderson. The company is not aware of any attacks that have exploited this vulnerability, she adds.
Eisner expects Microsoft to patch the bug within a few weeks. "Right now it's not that dangerous," he says. "But of course within a couple of weeks there will be somebody who has a little bit more time than we have and there will be an exploit then."
