Microsoft Hunts Down New IE Bug

The software giant says it has yet to receive reports of any attacks focused on a new vulnerability in IE identified by third-party researchers.

Microsoft officials said that they are probing the details of a new vulnerability found in the companys Internet Explorer Web browser.

According to widely distributed reports about the bug, which was first identified by independent security researcher Michal Zalewski, attackers could exploit a buffer overflow issue present in IE by crafting special HTML code for the purpose of targeting the flaw.

Zalewski labeled the glitch as a "very interesting and apparently very much exploitable overflow" and said that it could easily be used to execute malicious code in the software.

Microsoft representatives said the company has not been made aware of any attacks attempting to take advantage of the reported vulnerability and said it continues to investigate the reported issue. The company said it would issue an immediate security advisory or provide an update for IE as part of its monthly patch release process, based on its continued surveillance of the problem.

Lennart Wistrand, lead security program manager in Microsofts Security Response Center, said on the companys blog site that the problem could indeed cause IE to fail. As the company reviews the issue he advised IE users to avoid potentially unsafe Web sites and offered free customer service access to anyone seeking security advice from Microsofts PC Safety hotline.

While Microsoft typically downplays vulnerability reports of this nature, whether or not the software giant decides to issue a patch separate from its monthly security update should indicate how serious the company believes the latest IE bug to be.

Microsoft has made stronger security one of the central themes of its highly anticipated introduction of its next-generation IE 7 software, slated to arrive with the companys new Vista operating system sometime before the end of 2006. Along with much work done in the name of fine-tuning the applications underlying code to eliminate potential vulnerabilities, the company has added a number of features to protect users against malicious programs and Web sites.

Early reviews of the beta version of IE 7 currently available to developers have praised functions such as the softwares Delete Browsing History button, which allows people to specifically select what type of information regarding their Internet usage is stored on their computers.

/zimages/4/28571.gifClick here to read eWEEK Labs review of the latest IE 7 beta.

The beta offers anti-phishing tools that cross-reference Web site URLs with so-called blacklists of sites that have already been identified by Internet watchdogs as suspicious or fraudulent. IE 7 also adds support for International Domain Names, a standard that claims to make it easier to identify Web sites with spoofed addresses.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.