The problem affects Internet Explorer 6--the latest version of Microsoft's Web browser--on computers running Windows XP with Service Pack 2 and all security patches installed, Tom Ferris, an independent security researcher in Mission Viejo, California, said in an interview Monday in the US. Other versions of Windows and IE may also be vulnerable, he said.
The security hole allows for "full blown remote code execution," Ferris said. "If a user browses to a bad Web site, malicious software can be installed on their PC without their knowledge."
Ferris claims credit for discovering the problem and said he informed Microsoft of the flaw on Aug. 14. He reported some basics on the bug on his Security Protocols Web site on Saturday, but is not sharing more details to prevent information from getting into the wrong hands.
A Microsoft representative late Monday confirmed the company received Ferris' report. The Redmond, Washington, software giant can't confirm if the flaw exists, but it is investigating the bug report, the representative said. "At this time there are not any attacks and there are not any risks," to users, she said.
Ferris said he provided Microsoft with details on the bug, including computer code to prove the existence of the problem. On his Web site, Ferris shows a screen shot of a crashing IE 6 Web browser, which he said was caused by the same bug.
Upon completion of the investigation, Microsoft will take the appropriate action to protect users, the representative said. This may include providing a security update through its monthly release process or providing an out-of-cycle security update, she said.
There are several unpatched vulnerabilities in IE 6, according to Secunia. The security monitoring company has issued 69 alerts on the Web browser since 2003, almost a third of those security bugs remain unpatched, according to Secunia's Web site. Secunia has yet to issue an advisory on this latest IE security issue.
Ferris has found bugs in Microsoft software before. Earlier this month, Microsoft credited him with reporting a bug in a Windows feature called the Remote Desktop Protocol that could allow an attacker to remotely restart Windows systems.
Ferris recommends users pick a different Web browser or surf the Web with caution to protect against any exploitation of the latest IE flaw and other browser bugs. Microsoft, as always, urges users to apply all available software patches and run updated security software.
