http://www.theregister.co.uk/content/55/23557.html By John Leyden Posted: 04/01/2002 at 16:52 GMT Veteran bug hunter Georgi Guninski is recommending disabling Active Scripting - or ditching Internet Explorer entirely - after he discovered yet another vulnerability with the browser. IE allows hackers to browse known local files using a specially crafted script due to a bug in the browser's GetObject() JScript function, Guninski reports. The vulnerability, which is similar to previous directory transversal bugs and relates to how GetObject() interacts with the "htmlfile" ActiveX object, could allow the execution of arbitrary code on a target machine. Internet Explorer version 5.5 and 6.0 are thought to be affected. Microsoft was informed about the problem on December 11 and has yet to issue any response on the issue; but Guninski has produced test code to validate his warning, the latest in a long line he has made about IE. This is evident from Guninski's advice that users should not use "IE in hostile environments such as the internet", which pending a surprise mass defection to Opera, is hardly very practical. Yesterday Microsoft sent out an email to .Net Passport user strongly urging them to review the security of their browsers and apply a cumulative patch it issued in December. Users can check what security upgrades they might need here. Although there's nothing there to protect users from the latest risk, this is still well worth doing. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 10:23:25 PST