Page is a not externally linkable
CritterNYC - 6:34 pm on Jul 13, 2004 (gmt 0)
In addition to the unpatched vulnerability currently being exploited, Secunia has found 4 new critical flaws in Internet Explorer version 5.01, 5.5 and 6.0 on Windows. These new flaws again allow for the execution of arbitrary code (read: auto-installed spyware, malware, spamware). Details of the vulnerabilities as well as proof-of-concept exploit code is available here: Word and MSN Messenger shell: exploit Apparently, MS Word and MSN Messenger are also vulnerable to the shell: exploit that Mozilla recently patched. The vulnerability is due to a security issue within Windows that will be patched by Windows XP Service Pack 2. There is currently no other patch available. Locking Down Internet Explorer There is no patch for the 5 current exploits. To protect yourself, Internet Explorer should be set to disable Active Scripting (VB and Javascript) on all websites except those in your Trusted Sites Zone. To accomplish this: 1. Launch Internet Explorer IMPORTANT: This should lock you down safely, but will break any site relying on Javascript. If you encounter a site you wish to enable Javascript for, you can add it to your Trusted Sites zone. 1. Launch Internet Explorer Windows XP Service Pack 2 Windows XP Service Pack 2 (currently in Beta as a Release Candidate) should fix the 5 vulnerabilities mentioned above, however, Microsoft does not recommend running it on production systems. Additionally, there has already been a report of a script-injection technique on IE in SP2 that is still working. This has not yet been verified. If you genuinely wish to continue using IE and need Javascript enabled for all sites, it may be worth checking out Windows XP SP2. A number of people are running it on their systems without issues (plus the popup blocker in the new IE is supposed to be pretty good), so it may be worth a shot. Switch to an Alternate Browser You may also wish to consider switching to another browser without these security issues. Mozilla 0.9.2 is an option as is Opera 7.52. Note the version numbers as previous versions of those browsers have security issues as well. [mozilla.org...]
New IE Vulnerabilities
[secunia.com...]
[infoworld.com...]
2. Click TOOLS and then Internet Options.
3. Click the Security Tab.
4. Select the Internet Web content zone.
5. Click Custom Level.
6. In the list, scroll down to Active Scripting and set it to Disabled.
7. Click Ok
8. Select the Local Intranet Web content zone.
9. Click Custom Level.
10. In the list, scroll down to Active Scripting and set it to Disabled.
11. Click OK.
2. Click TOOLS and then Internet Options.
3. Click the Security Tab.
4. Select the Trusted Sites content zone.
5. Click the Sites button.
6. Add any sites you wish to trust.
7. Uncheck the Require HTTPS checkbox.
8. Click OK.
[opera.com...]