Attackers could use newly discovered flaws in Internet Explorer to launch malicious code and spoof dialog boxes, two security firms warned. The first problem, reported by Vienna-based SEC Consult, is that IE doesn't properly handle instantiation of non-ActiveX COM objects from Web pages. The advisory said, "loading HTML documents with certain embedded CLSIDs results in null-pointer exceptions or memory corruption. In one case, we could...
leverage this bug to overwrite a function pointer in the data segment. It may be possible to exploit this issue to execute arbitrary code in the context of IE."
The Bethesda, Md.-based SANS Internet Storm Center said, "The published proof-of-concept code demonstrates the issue by invoking the javaprxy.dll COM object and crashing Internet Explorer, as tested in Internet Explorer 6 on Windows XP Service Pack 2. Although there are no patches to address the issue, a work-around is to disable ActiveX support in the browser."
Secunia developed a test users can run to see if their browser is affected. The firm confirmed the flaw in a fully updated version 6.0 and recommends users avoid untrusted Web sites while browsing trusted sites.
Microsoft confirmed it is investigating the reports. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing additional mitigation guidance through this security advisory, and if appropriate, a security update through our monthly release process or an out-of-cycle security update, depending on the results of the investigation," the software giant said in a statement.
At this point, Microsoft said, "We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time, but we are aggressively investigating the public report."
This article originally appeared on SearchSecurity.com.