The buffer overflow vulnerability is triggered by a malicious Java script that can be embedded in a html document. When a web page or html file containing the malicious script is viewed by Internet Explorer, versions 5 and 6, the buffer is over-run and the browser crashes.
Whilst there is no proof the vulnerability allows the execution of arbitrary code, which would allow an attacker or worm to take control of a victim's system, there's a strong possibility the vulnerability is indeed that critical.
Freelance security consultant Dave Matthews says if the bug is fully exploitable then someone has undoubtedly figured it out by now.
"It's reasonably dangerous. It will require an affective payload to turn it into something more useful. Presumeably someone out there has something already," he told ZDNet Australia .
The potentially critical security flaw was disclosed to the Bugtraq security mailing list, in an act Matthews says was most likely intended to antagonise the software giant.
"It could be a bit of a 'up yours' to Microsoft, just letting them know that they know something," he said. "I'm sure they didn't contact Microsoft first".
Jamie Gillespie, a security analyst with AusCERT, a clearing house for vulnerability information, says it may be too early to jump the gun.
"It is a possibility that it could execute arbitrary code. That has not been proven," he said. "It's hard to say without knowing the internal coding structure of IE".
He did, however, concede that where there's smoke there's fire--if it looks like a duck and quacks like a duck, then it's usually a duck.
"Most buffer overflows do have a strong possibility to allow the execution of arbitrary code," he said.
According to Gillespie, Microsoft are currently looking into the issue, but as yet a patch is unavailable. Anti-virus scanners will be of little use until definitions are updated, and even then they will be of limited use. What is needed is a patch.
Because the general perception is that html is a lot safer than executable code, such as .exe, .pif, and .scr to name a few, chances are that messaging gateways will allow the code to slip right through into users in-boxes according to Chy Chuawiwat, managing director of content filtering company Clearswift Australia.
He says that "pretty much everybody," allows HTML to pass through company filtering gateways. Of those, only a small proportion analyse the structure of the html.
"30 percent use some kind of a script analysis tool to look for malicious code in HTML, but if it's not a known pattern that looks malicious it won't pick it up," he said.
Clearswift and other content filtering and anti-virus companies are analysing the bug to determine the best course of action.
Microsoft were unable to comment at the time of writing.
I am not sure the problem I am having is in this category, but it began 3 days ago.
When I try to access MSN i am able to get the home page, My home page but not my e-mail. It goes to the opening page for e-mail but as soon as I click one of the folders (anyone) it gives me an ERROR REPORT request. I have sent innumerable reports and still can't get into my mail.How do I fix the problem. Don't send an answer to my MSN mail account as I will never see it. Please send Help to gmary1941@Yahoo.com. When I send the error report it automatically transfers me to Yahoo, and I have no problem getting my mail here.
PLEASE HELP