IE bug crashes browsers

A researcher has revealed details of a vulnerability in Internet Explorer 6.0, but it is unclear whether it is exploitable

A simple flaw in Internet Explorer 6.0 causes the browser to crash when it views pages containing malicious HTML code, a security researcher has found.

Although many DoS vulnerabilities such as this can lead to the discovery of more serious flaws after further research, AusCERT security researcher Jamie Gillespie said it's unlikely in this case.

"Its exploitable for the DoS, for sure, but not every DoS bug leads to execution of code," Gillespie told ZDNet Australia. "Going by what I can see so far, I don't believe it would be (fully) exploitable".

The Denial of Service (DoS) bug was disclosed on the bugtraq security mailing list, but at this stage, it's unclear if Microsoft has been kept in the loop.

"Going down the disclosure track, I wonder if this has been revealed to Microsoft or this guy has just posted it," Gillespie said.

If the bug turns out to be a simple DoS problem, then Microsoft isn't likely to be phased, but it could cause the company headaches if the issue is found to be more serious. The software giant will most likely conduct its own research into the matter, says Gillespie.

"There needs to be research as to the cause of the bug, and if there's a fix present it must be regression tested to ensure the fixing of one bug doesn't introduce another more dangerous flaw," he added.

The bug is exploited through five lines of HTML code. A test conducted by ZDNet Australia revealed that when embedded in a viewed page, the code causes all open Internet Explorer windows to close.

Unlike a buffer overflow, the glitch may turn out to be harmless -- the result of some sloppy programming.

"It doesn't look like a buffer overflow... if anything (the code is) not giving Internet Explorer information that it's expecting and that's what's causing the problem," Gillespie said.

Microsoft Australia was unable to comment at the time of writing.

For everything Internet-related, from the latest legal and policy-related news, to domain name updates, see ZDNet UK's Internet News Section.

Let the editors know what you think in the Mailroom.