US-CERT Alert: Exploit for Vulnerability in Microsoft Internet
Explorer
Updated March 27, 2006 -- US-CERT is aware of an active
exploitation of a vulnerability in the way Microsoft Internet
Explorer handles certain DHTML methods. By persuading a user to
access a specially crafted webpage, a remote, unauthenticated
attacker may be able to execute arbitrary code on that user's
system, or cause Internet Explorer to stop functioning.
More information about the reported vulnerability can be found in
the
following US-CERT Vulnerability
Note:
Laptop Battery * VU#876678 - Microsoft Internet Explorer createTextRange()
vulnerability
Also Microsoft has put out a security update for Internet Explorer that will help you avoid Phishing scams. It removes a vulnerability that could allow an attacker to spoof the location of a web page in the address bar of the Internet Explorer window. It is highly recommended that you apply this patch if your computer has Internet Explorer installed (even if you do not use Internet Explorer as your primary web browser). To install this security update, please visit this Microsoft site, which also includes additional background information.
Thinkpad Known attack vectors for this vulnerability require that Active
Scripting is enabled in Internet Explorer. Disabling Active
Scripting will reduce the chances of exploitation. Until an update,
patch, or more information becomes available, US-CERT recommends
the following mitigation:
You can configure your Web browser to alert you before accepting cookies if you are using Netscape 3.0 or above, or Microsoft's Internet Explorer 3.0 or above. If you select this option, you will receive a warning every time a cookie is sent, and have the option of accepting or declining the cookie. If you are using Microsoft Internet Explorer or Netscape browser versions 4.0 and above, you can select to turn off all cookies, allow some, or alert you before accepting cookies.
Microsoft * Disable Active Scripting as specified in the Securing Your Web
Browser document.
*
Review the additional
workarounds in the Microsoft
Security Advisory 917077.
* Review Microsofts recommendations to improve the safety of
browsing and email activity.
March 22, - CERT is aware of a vulnerability in the way Microsoft Internet Explorer handles the createTextRange() DHTML method. By persuading a user to access a specially crafted webpage, a remote, unauthenticated attacker may be able to execute arbitrary code on that user's system. This vulnerability can also be used to crash Internet Explorer.
Laptop Computers US-CERT continue to update current activity as more information
becomes available.
Posted by Francis @ Comments May's Patches It's the first Tuesday of the month and Microsoft has released seven critical patches for vulnerabilities found on Excel, Word, Microsoft Office, Microsoft Exchange, Internet Explorer, CAPICOM, and Windows DNS Server. All of these allow for Remote Code Execution, which can be used by malware as an attack vector.
Laptop Computer Source: US-CERT
time, ensuring that infected objects are not saved to the computer's hard disk. in for Microsoft Internet Explorer.
[ Comment, Edit or Article Submission ]
