I had kinda thought I’d finished posting for the day till I looked in my emails and discovered something I’m not too sure I like the sounds of.

Secunia Research has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the processing of the “createTextRange()” method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.

Successful exploitation allows execution of arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected.

Secunia Advisory – Microsoft Internet Explorer “createTextRange()” Code Execution

This is seriously bad people. There isn’t an update/patch available yet, but Microsoft is aware of the vulnerability and intending to release information on how to mitigate the issue until a patch is available to fix this problem.

This does not affect email in Outlook and Outlook Express for the most part if you have not changed the security settings within those apps. It does affect any program that uses the mshtml.dll for active scripting. That includes the loader page for World of Warcraft.