[ISN] Scripting flaws pose severe risk for IE users

From: InfoSec News (isn@private)
Date: Tue Nov 25 2003 - 23:45:00 PST

  • Next message: InfoSec News: "[ISN] Trojan Horse Making Its Way Into Windows Systems"

    http://www.theregister.co.uk/content/55/34186.html
    
    By John Leyden
    Posted: 25/11/2003 
    
    A set of five unpatched scripting vulnerabilities in Internet Explorer 
    creates a mechanism for hackers to compromise targeted PCs. 
    
    The vulnerabilities, unearthed by Chinese security researcher Liu Die 
    Yu, enable malicious Web sites and viruses to bypass the security zone 
    settings in IE6. Used in combination, the flaws might be exploited to 
    seize control of vulnerable PCs. 
    
    Proof of Concept exploits have been released by Liu Die Yu to validate 
    his warnings. 
    
    Microsoft has yet to patch the flaws. But users can protect themselves 
    against the flaws by disabling active scripting or by using an 
    alternative browser. 
    
    Thomas Kristensen, CTO of security Web site Secunia, told The Register 
    that the five distinct vulns could used in combination to install 
    executables (viruses, Trojans and porn diallers). Secunia describes 
    the vulnerabilities as "extremely critical". 
    
    Despite this, Kristensen warns that Microsoft is unlikely to break its 
    newly instituted monthly release cycle to release a stand-alone IE 
    patch unless a vulnerability was widely exploited. Pending the 
    availability of a patch, Secunia advises all IE users to disable 
    active scripting. 
    
    The drawback of this workaround is that with some Web sites certain 
    functions won't work unless scripting is enabled. IE users should 
    define any sites they need to use as trusted so that they can continue 
    to use scripting on those sites alone, Kristensen advised. 
    
    Secunia's advisory is here [1].
    
    [1] http://www.secunia.com/advisories/10289
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Nov 26 2003 - 02:07:52 PST