eEye Digital Security is advising customers to the existence of exploit code that targets a critical security vulnerability in Microsoft Internet Explorer. The Microsoft IE exploit pertains to an unpatched vulnerability that has been released on various public mailing lists. This issue affects any Windows operating system running Internet Explorer versions 5.01 SP4 through 6.0 SP1. The vulnerability results from the method in which Internet Explorer handles HTML Objects. This flaw allows for remote code to be executed on the target system. If successfully exploited, an attacker will only have the rights of the currently logged on user. System Administrators should be careful to not use Administrator accounts for general system use. Currently, there have been numerous reports of this vulnerability being used on various websites in attempts to install Spyware and remote control "bot" software for use in Distributed Denial of Service (DDoS) attacks. Recommendations: The recommended action required to protect systems against this attack is to disable Active Scripting from within Internet Explorer. Following are the steps required to disable Active Scripting: On the Internet Explorer Tools menu, click Internet Options, click the Security tab, click the Internet Web content zone, and then click Custom Level. In the Settings box, scroll down to the Scripting section, and click Disable under Active scripting and Scripting of Java applets. Now click OK and then click OK again. NOTE: In Internet Explorer, the term "Active scripting" or "ActiveX scripting" refers to both Microsoft JScript scripting and Microsoft Visual Basic Scripting Edition. When you complete this procedure, you disable both types of scripts. If you are able to load the Web page after performing this step, the problem is being caused by Active scripting that the Web page contains. The script most likely is written incorrectly, or contains unsupported objects, properties, or elements. Read full article Source: http://www.gameshout.com/index.php/...itical_security_vulnerability/article4411.htm megamaced when you come back from your exams, you can add this to your security article as well~!
The patch you are reporting on is the second 3rd party patch to come out in only a few months. The first one was related to the Metafile flaw. This really shows how inadequate Microsoft are at releasing security updates. I could do, but I think people are better off ditching Internet Explorer altogether.
