Explorer 6 users told to stop scripting

Security researchers in Denmark are warning users to disable "active scripting" in Microsoft's Internet Explorer 6.0 Web browser to prevent attackers from targeting and taking remote control of their PCs.

Niels Rasmussen, CEO of security research company Secunia ApS in Copenhagen, said yesterday that the latest vulnerabilities "allow malicious Web sites and viruses to bypass the security zone settings in Internet Explorer."

The discovery was made by researcher Liu Die Yu, who posted it on public reporting bulletin boards, Rasmussen said. The report said the problem combines "multiple 'minor' vulnerabilities" and "are as simple to exploit as the three-month-old Object Data vulnerability, which was exploited by several spam mails and pornographic Web pages" in recent months, Rasmussen said.

Presently, the only fix is to disable Explorer's active scripting so that the feature can't be used to attack the machine, according to Secunia. Other browsers that don't have the feature, such as Netscape Navigator, Mozilla or Opera, can be used without fear of attacks.

Art Manion, an Internet security analyst at the CERT Coordination Center at Carnegie Mellon University in the US, confirmed that his testing of the reported vulnerability showed that at least one of the reported problems can be duplicated on an Explorer 6 machine that has already been fully patched with existing Microsoft updates, meaning that the vulnerability does exist.

Manion said the problem is a "cross-domain scripting vulnerability," which incorrectly allows a script from one Web site to run on another domain when using Explorer 6. That means an attacker could potentially access data on a victim's PC, he said.

CERT has posted instructions on how to disable active scripting in Explorer 6 to protect users from attacks until a fix is found.

Debby Fry Wilson, director of the security business unit at Microsoft, said in a statement last night that the company is "investigating new public reports of possible vulnerabilities in Internet Explorer," based on the latest postings. "We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports."

If the flaw is confirmed, Microsoft "will take the appropriate action to protect our customers, which may include providing a fix through our monthly patch release process or an out-of-cycle patch, depending on customer needs," she said.

Microsoft released Microsoft Security Bulletin MS03-048 on Nov. 11, which provided a cumulative patch for Internet Explorer, Wilson said. "We continue to encourage customers to install this security update -- and to follow our 'Protect Your PC' guidance of enabling a firewall, getting software updates and installing antivirus software."

Wilson also said Microsoft is concerned that the latest vulnerability reports weren't sent to the company before being made public, giving attackers time to use it for new attacks on users.

Reports of the vulnerabilities "were not disclosed responsibly, potentially putting computer users at risk," she said. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities, with no exposure to malicious attackers while the patch is being developed."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Todd R. Weiss

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?