November 04, 2004, 11:25 AM — Security researchers are warning that exploit code is circulating for a newly discovered security vulnerability in Microsoft Corp.'s Internet Explorer (IE) Web browser.
An error in the way IE handles some attributes of the "iframe" and "frame" HTML tags can be exploited to cause a buffer overflow and execute malicious code on a PC, according to researchers. The vulnerability could be exploited via a specially crafted HTML document including an email message or a Web page, according to an advisory from US-CERT.
The bug has been confirmed in IE 6.0 on a fully patched Windows XP with Service Pack 1 and IE 6.0 on a fully patched Windows 2000, according to an advisory from Danish security firm Secunia. Programs using the WebBrowser ActiveX control, including Outlook, Outlook Express, AOL and Lotus Notes, may also be affected, US-CERT said.
While Microsoft hasn't yet issued a patch, the bug appears to be a selling point for the widely touted Service Pack 2 (SP2) -- systems running SP2 don't appear to be affected, researchers said.
The bug could be particularly serious because a working exploit has been published on public mailing lists, according to Secunia. Such an exploit could make it far easier for a malicious user to launch an attack.