Explorer 6 users told to stop scripting

Security researchers in Denmark are warning users to disable "active scripting" in Microsoft's Internet Explorer 6.0 Web browser to prevent attackers from targeting and taking remote control of their PCs.

Niels Rasmussen, CEO of security research company Secunia ApS in Copenhagen, said yesterday that the latest vulnerabilities "allow malicious Web sites and viruses to bypass the security zone settings in Internet Explorer."

The discovery was made by researcher Liu Die Yu, who posted it on public reporting bulletin boards, Rasmussen said. The report said the problem combines "multiple 'minor' vulnerabilities" and "are as simple to exploit as the three-month-old Object Data vulnerability, which was exploited by several spam mails and pornographic Web pages" in recent months, Rasmussen said.

Presently, the only fix is to disable Explorer's active scripting so that the feature can't be used to attack the machine, according to Secunia. Other browsers that don't have the feature, such as Netscape Navigator, Mozilla or Opera, can be used without fear of attacks.

Art Manion, an Internet security analyst at the CERT Coordination Center at Carnegie Mellon University in the US, confirmed that his testing of the reported vulnerability showed that at least one of the reported problems can be duplicated on an Explorer 6 machine that has already been fully patched with existing Microsoft updates, meaning that the vulnerability does exist.

Manion said the problem is a "cross-domain scripting vulnerability," which incorrectly allows a script from one Web site to run on another domain when using Explorer 6. That means an attacker could potentially access data on a victim's PC, he said.

CERT has posted instructions on how to disable active scripting in Explorer 6 to protect users from attacks until a fix is found.

Debby Fry Wilson, director of the security business unit at Microsoft, said in a statement last night that the company is "investigating new public reports of possible vulnerabilities in Internet Explorer," based on the latest postings. "We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports."

If the flaw is confirmed, Microsoft "will take the appropriate action to protect our customers, which may include providing a fix through our monthly patch release process or an out-of-cycle patch, depending on customer needs," she said.

Microsoft released Microsoft Security Bulletin MS03-048 on Nov. 11, which provided a cumulative patch for Internet Explorer, Wilson said. "We continue to encourage customers to install this security update -- and to follow our 'Protect Your PC' guidance of enabling a firewall, getting software updates and installing antivirus software."

Wilson also said Microsoft is concerned that the latest vulnerability reports weren't sent to the company before being made public, giving attackers time to use it for new attacks on users.

Reports of the vulnerabilities "were not disclosed responsibly, potentially putting computer users at risk," she said. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities, with no exposure to malicious attackers while the patch is being developed."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Todd R. Weiss

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?