An important read for home as well as office internet users.
NO PATCH IS AVAILABLE at this time, you will have to decide on
an individual basis whether or not implementing the workaround at
the bottom affects sites you may visit. I would expect a Microsoft
response shortly but depending on the nature of the flaw it may take
awhile for them to release a patch.
-Tony
INFORMATION ALERT
AN EMERGING ISSUE WITH:
MICROSOFT INTERNET EXPLORER CROSS-SITE SCRIPTING
VULNERABILITY
SUMMARY:
Bugtraq posts yesterday and today from unrelated security
researchers describe flaws in Internet Explorer (IE) versions 5,
5.5, and 6 that allow Cross-Site Scripting (CSS) attacks. A hacker
could exploit this flaw to execute code on your machine or run
scripts within the My Computer zone.
EXPOSURE
By applying this Cross-Site Scripting attack
a hacker could run scripts in IE's My Computer zone (less
restricted), hijack any program on your machine.
In Larholm's original advisory, IE6 was the only version of IE
susceptible to this Cross-Site Scripting attack. However, GreyMagic
quickly followed with an advisory confirming Larholm's findings and
describing a component that ships with
IE5 and 5.5 which is also vulnerable to this Cross-Site Scripting
attack. In short, IE 5, 5.5 and 6 are all susceptible.
WORKAROUND:
Microsoft has not released a patch yet. However, according to
Larholm, IE users can prevent this attack by disabling scripting in
IE. To do this, click on Tools => Internet Options => Security tab
in IE. Highlight the Internet zone and click the Custom Level
button. Scroll down till you find "Active Scripting" and check
Disable. Finally, click on OK twice. Keep in mind, many Web sites
and HTML based applications might require Active Scripting for
normal usage. Disabling Active Scripting could prevent safe sites
from working properly.
NO PATCH IS AVAILABLE at this time, you will have to decide on
an individual basis whether or not implementing the workaround at
the bottom affects sites you may visit. I would expect a Microsoft
response shortly but depending on the nature of the flaw it may take
awhile for them to release a patch.
-Tony
INFORMATION ALERT
AN EMERGING ISSUE WITH:
MICROSOFT INTERNET EXPLORER CROSS-SITE SCRIPTING
VULNERABILITY
SUMMARY:
Bugtraq posts yesterday and today from unrelated security
researchers describe flaws in Internet Explorer (IE) versions 5,
5.5, and 6 that allow Cross-Site Scripting (CSS) attacks. A hacker
could exploit this flaw to execute code on your machine or run
scripts within the My Computer zone.
EXPOSURE
By applying this Cross-Site Scripting attack
a hacker could run scripts in IE's My Computer zone (less
restricted), hijack any program on your machine.
In Larholm's original advisory, IE6 was the only version of IE
susceptible to this Cross-Site Scripting attack. However, GreyMagic
quickly followed with an advisory confirming Larholm's findings and
describing a component that ships with
IE5 and 5.5 which is also vulnerable to this Cross-Site Scripting
attack. In short, IE 5, 5.5 and 6 are all susceptible.
WORKAROUND:
Microsoft has not released a patch yet. However, according to
Larholm, IE users can prevent this attack by disabling scripting in
IE. To do this, click on Tools => Internet Options => Security tab
in IE. Highlight the Internet zone and click the Custom Level
button. Scroll down till you find "Active Scripting" and check
Disable. Finally, click on OK twice. Keep in mind, many Web sites
and HTML based applications might require Active Scripting for
normal usage. Disabling Active Scripting could prevent safe sites
from working properly.
