Scripting flaws pose severe risk for IE users

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/34186.html

By John Leyden
Posted: 25/11/2003 

A set of five unpatched scripting vulnerabilities in Internet Explorer 
creates a mechanism for hackers to compromise targeted PCs. 

The vulnerabilities, unearthed by Chinese security researcher Liu Die 
Yu, enable malicious Web sites and viruses to bypass the security zone 
settings in IE6. Used in combination, the flaws might be exploited to 
seize control of vulnerable PCs. 

Proof of Concept exploits have been released by Liu Die Yu to validate 
his warnings. 

Microsoft has yet to patch the flaws. But users can protect themselves 
against the flaws by disabling active scripting or by using an 
alternative browser. 

Thomas Kristensen, CTO of security Web site Secunia, told The Register 
that the five distinct vulns could used in combination to install 
executables (viruses, Trojans and porn diallers). Secunia describes 
the vulnerabilities as "extremely critical". 

Despite this, Kristensen warns that Microsoft is unlikely to break its 
newly instituted monthly release cycle to release a stand-alone IE 
patch unless a vulnerability was widely exploited. Pending the 
availability of a patch, Secunia advises all IE users to disable 
active scripting. 

The drawback of this workaround is that with some Web sites certain 
functions won't work unless scripting is enabled. IE users should 
define any sites they need to use as trusted so that they can continue 
to use scripting on those sites alone, Kristensen advised. 

Secunia's advisory is here [1].

[1] http://www.secunia.com/advisories/10289



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.