HTML bug hits Internet Explorer

Security firms today revealed a "high risk bug" which sneaks malicious code onto a machine running Microsoft Internet Explorer (IE).

This latest vulnerability, which comes only a week after the uncovering of a separate flaw affecting IE's mail extenstions, centres on HTML-based emails.

HTML mails, which are effectively websites, could potentially run an embedded file attachment containing malicious code if a user previews the code using Outlook. The user would not even have to open the message to activate the code, according to security firm GFI.

The vulnerability is carried out through the use of an HTML content tag known as IFrame which is used to embed another frame, or web page, inside the main one. The embedded page would be responsible for loading or activating the malicious code.

GFI's chief executive Nick Galea told vnunet.com that Microsoft has released a patch to fix the vulnerability, available here, but added that filtering email at server level to remove potentially dangerous code such as the IFrame tag was the best way to combat the threat.

"HTML mail viruses are becoming more sophisticated and more difficult to detect and stop," said Galea. "The recently discovered vulnerability is a clear example of how dangerous HTML mail scripting can be. Exploits like this indicate that other such HTML viruses lie close ahead."