From: InfoSec News (isnc4i.org)
Date: Wed Nov 26 2003 - 01:45:00 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.theregister.co.uk/content/55/34186.html

By John Leyden
Posted: 25/11/2003

A set of five unpatched scripting vulnerabilities in Internet Explorer
creates a mechanism for hackers to compromise targeted PCs.

The vulnerabilities, unearthed by Chinese security researcher Liu Die
Yu, enable malicious Web sites and viruses to bypass the security zone
settings in IE6. Used in combination, the flaws might be exploited to
seize control of vulnerable PCs.

Proof of Concept exploits have been released by Liu Die Yu to validate
his warnings.

Microsoft has yet to patch the flaws. But users can protect themselves
against the flaws by disabling active scripting or by using an
alternative browser.

Thomas Kristensen, CTO of security Web site Secunia, told The Register
that the five distinct vulns could used in combination to install
executables (viruses, Trojans and porn diallers). Secunia describes
the vulnerabilities as "extremely critical".

Despite this, Kristensen warns that Microsoft is unlikely to break its
newly instituted monthly release cycle to release a stand-alone IE
patch unless a vulnerability was widely exploited. Pending the
availability of a patch, Secunia advises all IE users to disable
active scripting.

The drawback of this workaround is that with some Web sites certain
functions won't work unless scripting is enabled. IE users should
define any sites they need to use as trusted so that they can continue
to use scripting on those sites alone, Kristensen advised.

Secunia's advisory is here [1].

[1] http://www.secunia.com/advisories/10289

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]