Westlake Village (CA) – Security researchers have found a new bug that can crash patched versions of Internet Explorer 6. The code and a demonstration link are available on the “Browser Fun” blog, which posts browser exploit code.
Basically, the bug causes a memory heap overflow by continuously calling image objects. Internet Explorer locks up and eventually crashes, displaying the infamous “the program has encountered a problem” window.
TG Daily has verified that Internet Explorer 6 browsers on fully-patched Windows SP2 machines are vulnerable. Firefox and other alternative browsers appear to be unaffected by the bug. According to the blog, which first published information about the security issue, the bug is difficult to detect unless “heap verification has been enabled in the global debug flags for iexplore.exe” – something a common user would probably never do.
According to the blog, Microsoft was informed about the bug on 6 March and it has been added to an open-source database of exploits. So far, a patch is yet to come; there have been no reports of the bug being used in the wild (other than the demo site).
Searching for browser exploits has almost been a national past-time with several security related websites. Many of the exploits have targeted Microsoft’s ActiveX platform embedded in all Internet Explorer browsers, but FireFfox is beginning to see their its share of exploits.