Microsoft does it again!
Well, just last weekend I blogged about a Microsoft IE security vulnerability that I used for a class report and amazingly the same flaw has been discovered in Windows XP SP2 and IE once again. If you want to see if your browser might be vulnerable click here and look for Test Your System, then click the link below.
The vulnerability is caused due to an error in the DHTML Edit ActiveX control when handling the "execScript()" function in certain situations. This can be exploited to execute arbitrary script code in a user's browser session in context of an arbitrary site. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.
As this past Tuesday was the second Tuesday of the month, therefore Microsoft Patch Day, I wonder if MS might put out a patch before the next patch day in January? Anyway, here is what to do to resolve the problem until there is a patch.
Set security level to high for the "Internet" zone (disable ActiveX support). So in your browser go to Tools Internet Options and select the Security Tab. Click the Internet Zone, click the Custom Level button at the bottom of the screen and then scroll down in the resulting screen until you see "Script ActiveX controls marked for scripting" and select the Disable radio control. Click the OK button and select YES when the warning screen pops up.
Then test your work by going back to the test page I linked to above. You should receive a dialog stating "an ActiveX control on this page is not safe" and the page won't display.
Happy safe computing!
The vulnerability is caused due to an error in the DHTML Edit ActiveX control when handling the "execScript()" function in certain situations. This can be exploited to execute arbitrary script code in a user's browser session in context of an arbitrary site. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.
As this past Tuesday was the second Tuesday of the month, therefore Microsoft Patch Day, I wonder if MS might put out a patch before the next patch day in January? Anyway, here is what to do to resolve the problem until there is a patch.
Set security level to high for the "Internet" zone (disable ActiveX support). So in your browser go to Tools Internet Options and select the Security Tab. Click the Internet Zone, click the Custom Level button at the bottom of the screen and then scroll down in the resulting screen until you see "Script ActiveX controls marked for scripting" and select the Disable radio control. Click the OK button and select YES when the warning screen pops up.
Then test your work by going back to the test page I linked to above. You should receive a dialog stating "an ActiveX control on this page is not safe" and the page won't display.
Happy safe computing!
posted by Tony Rocha at
12/16/2004
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home