The createTextRange() method exploit could permit the arbitrary execution of code through Internet Explorer, and malicious sites that take advantage of the as-yet-unpatched flaw have been sighted online.
By disabling Active Scripting in IE as recommended by Microsoft, users should be able to avoid the impact of a highly critical flaw in the browser. Both Secunia and Sophos have reported exploit code being in the wild.
Should a Windows user running IE with Active Scripting enabled and administrative rights on the PC encounter this malicious code online, the system could be exploited and remote code executed by an unknown user.
Microsoft has confirmed the existence of the flaw and has a patch in development. It is not known whether Microsoft will release the patch early, or wait until its next scheduled patch release date of April 11th.
Sooner may be better than later, as a representative with Sophos noted on their website today:
“With no patches yet available to plug this hole, both home users and businesses need to exercise caution here,” said Carole Theriault, senior security consultant at Sophos. “Users without any additional security measures, such as firewall and anti-virus software, and users who surf the web and open emails and without care, are at much higher risk that those who practice safe computing.”