Microsoft posts work-around for IE flaw - News - ZDNet

Microsoft posts work-around for IE flaw - News - ZDNet:
"Microsoft released on Friday a work-around for an Internet Explorer vulnerability that has left Windows users open to attacks for almost nine months.

The flaw, in an ActiveX scripting component, gained notoriety last month when it became the mechanism used by a network of compromised Web sites to install a malicious program on victims' computers. Microsoft has decided to plug the hole by turning off the ability for the ActiveX component to write to the operating system. The software giant published the work-around on its Web site and directed customers to use its Windows update service to download the patch. "

Though Microsoft intends the change to become a standard configuration for Windows, the software giant is working on a more comprehensive solution, said Stephen Toulouse, security program manager for Microsoft's security response center.

The change fixes a problem that allowed several compromised Web sites to infect visitors' PCs with a Trojan horse program, known as Download.Ject or JS.Scob.Trojan. The program would record the keystrokes and send them to an overseas e-mail address. That Internet Explorer security issue and several others lead some security experts to suggest that users should consider alternative browsers.

Microsoft's configuration change blocks the ability of the ADODB.screen ActiveX component to write to the PC's hard drive. ActiveX, which adds interactivity to Web sites viewed with Internet Explorer, has long been thought to have security issues.

This particular vulnerability has been known about for more than 9 months…

http://www.microsoft.com/security/incident/download_ject.mspx

http://zdnet.com.com/2100-1105_2-5256297.html