A group of Russian researchers from SECURITY.NNOV has uncovered a new flaw in Microsoft Internet Explorer that would allow an
attacker to execute arbitrary code on a victim’s system when the victim visits a Web page or views an HTML email message.
The Computer Emergency Response Team Coordination Center (CERT/CC), which issued an advisory about the flaw Monday, said the buffer
overflow vulnerability would allow the attacker the system privileges of the victim and noted that the flaw could be exploited to
distribute viruses, worms or other malicious code.
CERT attributed the vulnerability to Internet Explorer’s improper handling of the SRC attribute of the directive, which can
be used to include arbitrary objects in HTML documents. Common types of embedded objects include multimedia files, Java applets and
ActiveX controls. The SRC attribute specifies the source path and filename of an object.
CERT said an HTML document, like a Web page or HTML email message, which contains a crafted SRC attribute can trigger a buffer
overflow, executing code with the privileges of the user viewing the document. Microsoft Internet Explorer, Outlook and Outlook
Express are all vulnerable. Other applications which use the Internet Explorer HTML rendering engine, such as Windows compiled HTML
help (.chm) files and third-party email clients, may also be vulnerable.
Microsoft has already released a patch which protects against
the vulnerability and some other recently discovered flaws.
CERT also recommended disabling ActiveX controls and plugins, or, at a minimum, disabling the “Run ActiveX Controls and Plugins”
security option in the Internet Zone and the zone used by Outlook or Outlook Express. That option is already disabled in the “High”
zone security setting.
CERT also suggested installing the Outlook Email Security Update, which configures Outlook to open email messages in the Restricted
Sites Zone, in which the “Run ActiveX Controls and Plugins” security option is disabled by default.