The vulnerability is caused by a "buffer overflow," a flaw that has plagued Internet Explorer in the past. In this case, the flaw allows a malicious attacker to flood the browser with garbage data via a malformed HTML tag. The browser lacks allocated memory to handle the flow of unexpected data and responds to the attack by crashing.
Researchers are now investigating whether this flaw can also be used to inject malicious code into computers, which would allow attackers to remotely control or alter the contents of affected computers.
If so, it's possible that this flaw could allow attack code to enter computers when users simply visit a malicious Web site. There is currently no patch or workaround that can protect users from the fallout.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i"A Web browser crash by itself is basically a non-event, a nuisance but not much more," said Michael Sutton, director of iDefense Labs, a security research company. "The question that needs to be answered is will this vulnerability be found to be exploitable and if so, will public exploit code emerge?"
Sutton said that iDefense researchers have examined the flaw and believe that it is likely exploitable but it's not clear if the exploit will be reliable as it involves memory corruption.
The flaw was discovered by security researcher Michal Zalewski, a Polish security expert who is the author of "Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks."