Security watchdog the US Computer Emergency Readiness Team (US-Cert) has warned Internet Explorer (IE) users to update patches after it discovered a buffer overflow vulnerability that gives hackers local admin rights to execute arbitrary code on compromised PCs.
The so-called heap buffer overflow vulnerability centres on the way IE handles the SRC and Name attributes of Frame and Iframe elements.
"After mishandling overly long SRC and Name attributes, IE de-references a memory address that may fall within one of the prepared heap blocks, running through the Nop slide and executing the attacker's shell code," the security watchdog said.
"Without the ability to prepare the heap blocks, this attack become significantly more difficult."
Other programs that use the WebBrowser ActiveX control (e.g., Outlook, Outlook Express, AOL, Lotus Notes) could be affected by this vulnerability, the security watchdog warned.
Hackers exploiting the bug need to convince a user to view a specially crafted HTML document, such as a web page or an HTML email message, after which the attacker could execute arbitrary code with the privileges of the user.
The attacker could also cause IE (or the program using the WebBrowser control) to crash.
US-Cert said that, while there is no complete solution to this problem, users should begin by installing Windows XP Service Pack 2 which the organisation said "does not appear to be affected by this vulnerability".
Users are advised to disable Active scripting to make it more difficult for attackers to prepare the heap to execute arbitrary code.
"At a minimum, disable Active scripting in the internet zone and the zone used by Outlook, Outlook Express, or any other software that uses the WebBrowser ActiveX control," US-Cert advised.
The security group also advised IE users to follow basic common sense security procedures such as not clicking on unsolicited URLs received in email, instant messages, web forums or internet relay chat channels.
Email client software should be configured to render email messages in plain text rather than HTML, and antivirus software should be kept up to date.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago