Critical new Internet Explorer vulnerability found

by John McCormick | May 01, 2006 8:08:00 PM

Tags: Patches, Web browsers, SECURITY, John McCormick, Secunia, Cisco Systems Inc., vulnerability, Microsoft Internet Explorer, Microsoft Internet Explorer 6, patch management, Gentoo, IT Locksmith Newsletter

Takeaway: Secunia has released a security advisory detailing a new vulnerability in Microsoft's Internet Explorer 6 browser. John McCormick has the details in this edition of the IT Locksmith.

A critical new threat has emerged in Internet Explorer 6, and no patch is yet available. At the other end of the spectrum, several Linux vendors have released patches for some critical Linux vulnerabilities.

Details

Secunia has released a security advisory detailing a new vulnerability in Microsoft's Internet Explorer 6 browser (CVE-2006-1992). The company has designated it a highly critical threat.

Michael Zalewski published the original advisory on April 23. The security vendor has conducted its own tests and found that even fully patched versions of IE 6 may be subject to this object tag memory corruption vulnerability.

Successful exploitation could allow the execution of arbitrary code. However, no reports of exploits have appeared in the wild.

No patch is yet available for this flaw. Until Microsoft releases a fix, the only workaround is to avoid visiting untrusted Web sites.

Meanwhile, the French Security Incident Response Team (FrSIRT) has no major Windows vulnerabilities listed, but it does cite several critical patches for Linux versions. Each of these patches eliminates a number of CVE-listed vulnerabilities.

• Gentoo has released an update to address a Mozilla remote code execution vulnerability.
• Debian patched this threat as well as a Firefox code execution threat last week.
• Fedora did the same.
• Fedora and Gentoo both patched an Ethereal remote code execution threat last week as well.
• SGI released a critical patch last week.

---

Also watch for...

• The National Infrastructure Security Co-ordination Centre (NISCC), a British security organization, has reported new flaws in the DNS protocol.
• Cisco Systems has patched its Wireless LAN Solution Engine and other products.
• Shades of War Games: According to The Palm Beach Post newspaper, instead of garnering a glowing high school transcript, 18-year-old Jeff Yorston has landed a felony fraud arrest for altering student records—perhaps he's watched the Matthew Broderick movie once too often.

---

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Print/View all Posts Comments on this article

Best Sites for Informationnre@...  | 05/02/06

We use securityfocus.compstirn@...  | 05/02/06

Thanksnre@...  | 05/02/06

Free stuff is the best stuffSpamKiller  | 05/04/06

Many Thanksnre@...  | 05/05/06

What if there was a RAM disk Internet Browser?SpamKiller  | 05/03/06

Can you say,"Firefox"?jlspeeddragon@...  | 05/11/06

Can you say Mozilla patchrmelcher@...  | 05/15/06