Microsoft"s Patch Tuesday activity carried over from last week into this one as the software giant promised to issue a fix for its latest Internet Explorer security patch, which apparently carries a security bug of its own.
The vulnerability could allow attackers to take complete control over a Windows PC running IE 6 with Service Pack 1 and the MS06-042 update installed, according to a Microsoft security advisory published this week. The flaw lies in the way IE handles long Web addresses. The firm has not yet said when the new patch will be ready.
"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user," Microsoft reported in its security advisory. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
In one attack scenario, an attacker could host a Web site containing a page that would exploit this vulnerability. Microsoft explained that compromised Web sites and those that accept or host user-provided content or advertisements may contain specially crafted content that could exploit this flaw. In all cases, however, an attacker would have no way of forcing users to visit these Web sites. Instead, an attacker would have to persuade users to visit the sites, typically by getting them to click on a link in an e-mail or instant messenger message.