A highly-critical vulnerability in Internet Explorer has prompted Microsoft to scramble for a workaround to the flaw.
Only rarely does Microsoft release security fixes outside its normal second Tuesday of the month patch release cycle. But the problem that exists with Internet Explorer has proven so troubling that it will make some type of workaround available as soon as possible, eWeek reported.
Researcher Andreas Sandblad with the Secunia monitoring website noted users of IE should disable Active Scripting until the patch is released. He posted more details about the problem as part of Secunia's advisory:
The vulnerability is caused due to an error in the processing of the "createTextRange()" method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected.
Microsoft Lennart Wistrand confirmed the problem and also recommended turning off Active Scripting in an entry at the Microsoft Security Response Center Blog:
Our initial investigation has revealed that if you turn off Active Scripting, that will prevent the attack as this requires script. Customers who use supported versions of Outlook or Outlook Express aren't at risk from the email vector since script doesn't render in mail (being read in the restricted sites zone).
We're going to continue to look into this but remind you also that safe browsing practices can help here, like only visiting trusted websites, etc.
iEntry 10th Anniversary
RSS
Archive
