security firm secunia has noted a security hole in microsofts internet explorer 6 for windows xp and 2003 that requires 'no user interaction' for the vulnerability to be sucessfully exploited.

A boundary error in the handling of certain attributes in the IFRAME HTML tag is the cause of the vulnerability, Secunia has reported.

This can be exploited to cause a buffer overflow via a malicious HTML document containing overly long strings in the "SRC" and "NAME" attributes of the tag. Successful exploitation of the error allows execution of arbitrary code


MS has so far not issued a patch.

source: yahoo news

http://story.news.yahoo.com/news?tmpl=story2&u=/nf/20041103/tc_nf/28105

I think like all the recent problems, the people reporting them to the press are highly irresponsible in doing so before MS release patches.

Agreed - the story doesn't mention whether they already contacted MS about this... any security company worth their salt would do that. If they had already done this then it changes things a bit. Otherwise it is irresponsible of them.

http://news.zdnet.com/2100-1009_22-5439370.html

further info.