NEWS FROM THE LAB - Tuesday, November 22, 2005

Internet Explorer 0-day Posted by Mika @ 07:30 GMT

A group called "Computer Terrorism" has released a Proof-of-Concept exploit for an unpatched Microsoft Internet Explorer vulnerability. The exploit allows remote code execution on most Windows systems including XP sp2. This vulnerability can e.g. be exploited if a user visits a web site controlled by the attacker.

The flaw is related to the JavaScript functionality in IE. So, one solution to this problem is to disable Active Scripting in IE. Another solution would be to use some other web browser. Also, as always, running as a restricted user greatly limits the damage these kinds of attacks can cause.

Apparently Microsoft was informed about this bug in May. Earlier it was seen as a denial-of-service vulnerability. MS has not released a patch yet but a Security Advisory on the issue is available.