A Dutch Web developer has discovered a vulnerability in Microsoft's Internet Explorer (IE) 6 Web browser that could allow a PC to be taken over after a user is lured to a malicious Web site.
Microsoft has reproduced the vulnerability and is analyzing the problem, said Jeffrey Van der Stad, who describes the flaw briefly on his Web site at http://jeffrey.vanderstad.net/grasshopper.
The vulnerability lies in how IE 6 handles so-called HTAs, or HTML (Hypertext Markup Language) applications. Van der Stad found a way to execute HTAs without end-user approval. The vulnerability exists in IE 6 for Windows 98, Windows XP Pro, Windows XP Media Center Edition and Windows 2003 Server (Standard), he said.
Van der Stad plans to post proof-of-concept code on his Web site as soon as Microsoft issues a patch.
Microsoft was pleased that he contacted them instead of publishing the exploit. Van der Stad has removed some of the problem's technical description from his Web site at Microsoft's request.
It's unknown when Microsoft will release a patch for the vulnerability.
"We have been trying to get this fix into the next IE release, but it's been a lot of work to do that as it's relatively late in the cycle. It looks like it will make it in though..." Microsoft's security response team wrote in an e-mail to Van der Stad.
Microsoft Netherlands was unable to comment on the vulnerability and Microsoft could not immediately be reached at its Redmond, Washington, headquarters.