New publicly disclosed vulnerability in Internet Explorer

Hi, It’s Lennart again. Wanted to let you know that today we saw another public posting around a vulnerability in Internet Explorer. This one is different than the crash bug I wrote about earlier.  The public posting speaks about createTextRange() and a way that this could be utilized to get code to run when visiting a specially crafted Web page. We’re still investigating, but we have confirmed this vulnerability and I am writing a Microsoft Security Advisory on this. But we wanted to make sure customers knew we were aware of this and we will address it in a security update.

(If you’re using the new refresh of the IE7 Beta 2 Preview announced at Mix06, then you are not affected by the public report.  You can download the preview at

Our initial investigation has revealed that if you turn off Active Scripting, that will prevent the attack as this requires script.  Customers who use supported versions of Outlook or Outlook Express aren’t at risk from the email vector since script doesn’t render in mail (being read in the restricted sites zone).

We’re going to continue to look into this but remind you also that safe browsing practices can help here, like only visiting trusted websites, etc.  As I noted the other day, if you think you might be impacted, remember you can contact Product Support Services.  Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:

Kind regards,


*This posting is provided “AS IS” with no warranties, and confers no rights.*