Security Watch from PC Magazine - Highly Critical IE Flaw In The Wild:
"Executive Summary
Name: Critical IE Flaw: 'Vulnerability in the Way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution'
Affects: All Internet Explorer versions on all current versions of Windows
Security researchers have found and publicized a vulnerability in all current versions of Internet Explorer on Windows. The vulnerability in the handling of the 'createTextRange()' method call applied on a radio button control is easily exploitable. Exploits are already circulating and by this past weekend, malicious Web sites began to appear to compromise computers through it.
Microsoft has announced that they are testing a patch for the vulnerability. At present it is scheduled to be released on the next regularly scheduled patch day, April 11, 2006, but the company will consider an earlier release if circumstances warrant. Such circumstances would probably involve widespread exploitation."
Do you trust your own judgement?
Do you run everything in administrator mode?
Do you feel lucky?
If you trust yourself, set Active Scripting to prompt. If you click first and ask questions later, set it to disable.
This vulnerability cannot be spread through HTML e-mail except through very old versions of e-mail clients which have not been patched in at least 5 years. Current Internet Explorer-based mail clients default to a model where scripting is blocked in all messages unless this setting is changed by the user.
To be exploited, the user would have to visit an affected Web page using Internet Explorer or an IE-based application. It is likely that many of the users who will be affected by this flaw have adware on their systems which will serve them advertisements containing the flaw. Such users, already compromised by the adware, are especially vulnerable to further attacks.
Consider the fact that this zero day exploit can turn your machine into somebody else's machine…!
http://www.pcmag.com/article2/0,1895,1943175,00.asp
Posts
