The most severe bug, discovered arlier this month by Web developer Jeffrey van der Stad. It could possibly allow attackers to seize control of a victim's PC. Van der Stad claims to have discovered way for attackers to trick Internet Explorer into executing HTA (HTML application) files without the user's permission. HTA is a Microsoft-created format that is used to create HTML-based applications.
Victims could have their systems compromised by visiting a Web site that contained the malicious code, van der Stad said. "With a specially designed Web site, it is possible to execute such a file without any prompt," he said. He has not published technical details of his bug, but Microsoft has been able to reproduce the problem and is hoping to have it patched in its next IE release, he said.
Toulouse would not comment on whether Microsoft considered the bug to be severe, saying that this information would "put customers at risk by providing attackers [with] information before the update is available."He also did not say whether he expected this problem to be patched during the company's next group of security updates, scheduled for April 11.
However, Microsoft has confirmed that it is investigating a separate IE vulnerability that could cause its browser to crash. Code that takes advantage of this vulnerability has already been published on the Internet. But because the bug does not appear to cause anything worse than a browser crash, it is not considered to be critical, according to security vendors. Microsoft has also confirmed that this bug can crash IE, in a note published Tuesday.