Personal Tech Pipeline | News | Unpatched IE Bug Now "Extremely Critical"

White Papers

Sponsor Resources

Free Newsletter GlossaryContact UsAbout Us
Players & CamsPhones & PDAsHome & AutoOnline

November 21, 2005

Unpatched IE Bug Now "Extremely Critical"

Courtesy of TechWeb News

A unpatched flaw in Microsoft's Internet Explorer browser that first surfaced in late May was upgraded Monday by a security firm to "extremely critical" status after proof-of-concept code for a working exploit hit the Web.

Originally, vulnerability researcher Benjamin Tobias Franz detailed a bug in IE 5.01 and 6.0 editions could result in a denial-of-service (DoS) attack; now, however, security vendor Computer Terrorism Ltd. said that the flaw could be used by an attacker to install and remotely run his own code on a compromised PC. The bottom line: machines could be hijacked by hackers who enticed users to a malicious Web site.

The flaw is another example of IE incorrectly initializing certain objects, and can be exploited when the JavaScript "Windows()" command is used in combination with the "" event.

Computer Terrorism also published proof-of-concept code for an exploit to show how the commands could be used by an attacker.

The change in seriousness of the vulnerability and the publishing of exploit code caused security vendors to raise the alarm. Danish-based vulnerability tracker Secunia, for instance, tagged the bug with its highest-level "Extremely critical" label, and said that it had confirmed the vulnerability on fully-patched versions of Internet Explorer 6.0 running under Windows XP SP2 and Windows 2000 SP4, the most up-to-date editions of those two operating systems.

"Prior to the release of this information, this vulnerability was considered low risk, and was not believed to allow arbitrary code execution," added Symantec in an advisory sent to customers of its DeepSight Threat Management System. "There are no vendor supplied patches available to eliminate this issue."

Symantec also confirmed that the proof-of-concept code works as advertised, "although 100% reliability cannot be demonstrated at this time."

Both Secunia and Symantec recommended that users disable Active scripting until a patch is forthcoming.

To disable Active scripting in IE, users should choose Tools/Internet Options, click the Security tab, click on the Custom Level button, and scroll to the Scripting section. Next, select the Disable radio button next to Active scripting; to close, click Yes.

E-mail This Story
Print This Story
Reprint This Story

Get the latest Personal Tech news, product info, and trends every week.

Related Content

  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Main RSS Feed
  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Blog RSS Feed

Keeping Up To Date On Enterprise Server Tech?
Review our compilation of columns on server security, database software, and Linux issues.
How to Achieve High Performance Through IT
Learn to achieve high performance by aligning IT to
strategic objectives and solutions to unlock that value.
Using Current Performance to Shape
Future Results

Hear new strategies for improving business
performance and results.

Editor's Picks

Well, Microsoft has "unfolded" its "Origami" ultra-mobile PC platform Thursday. It turned out to be a full-featured PC smaller than a tablet but bigger than a PDA. Are you impressed?
Yes! I want one!
Sort of. We'll see.
No! It's too big for a pocket and too small for real computing. What's the point?

In search of personal tech products? See our new Product Finder, where you'll find personal computing devices, communications solutions, security products, and more.

On the CIO Agenda with IBM
With business growth back on the agenda, the role of the CIO is changing from manager of technology to C-suite collaborator in enabling innovation that matters for the business. Read an executive summary and register to download the full IBM paper.

Symantec Backup Solutions
Desktop to Data Center Protection. Explore the Official Symantec Site.

SEC & HIPAA IM Compliance
Satisfy regulatory and compliance requirements for instant messaging.

Secure & Easy Console Management with Digi CM
The Digi CM console server provides secure, intelligent & easy access to network devices with a serial console port. With Digi CM, you can securely monitor & control servers, routers, switches & other devices even when your network is down.

Understand the financial impact of open source.
Will open source pay off? Open source is becoming standard within enterprises, often because of cost savings. Find out how much of a financial impact it can have on your organization. Get this methodology and calculator now, compliments of JBoss. Go!

Buy a Link Now

Top ten search terms from the TechWeb TechEncyclopedia
How does your pay rate? Check the InformationWeek Salary Survey
Mobilized Solutions Guide: Find and compare solutions for your business
Top Requested White Paper Categories from TechWeb White paper Library
Top ten search terms from the TechWeb TechEncyclopedia