Experts warn of yet another IE flaw

The Computer Emergency Response Team (Cert) today released an advisory warning of yet another vulnerability affecting Microsoft Internet Explorer and Outlook.

A buffer overflow vulnerability in the way Explorer handles embedded objects in HTML documents could allow an attacker to execute arbitrary code on a victim's system.

Explorer supports the '<embed>' tags which can be used to include arbitrary objects such as multimedia files, Java applets and ActiveX controls in an HTML document.

The 'src' attribute is used to specify the location of a file, but Cert warned that research by Russian researchers Security.nnov had found that Explorer does not properly handle the attribute.

This means that a maliciously crafted 'src' attribute in a web page or HTML email could trigger a buffer overflow, executing code with the privileges of the user viewing the document.

Microsoft has released a patch, and further information on this problem is available here.

The Cert advisory is available here.