Unpatched IE Bug Now 'Extremely Critical'
Originally, vulnerability researcher Benjamin Tobias Franz detailed a bug in IE 5.01 and 6.0 editions could result in a denial-of-service (DoS) attack; now, however, security vendor Computer Terrorism Ltd. said that the flaw could be used by an attacker to install and remotely run his own code on a compromised PC. The bottom line: machines could be hijacked by hackers who enticed users to a malicious Web site.
The flaw is another example of IE incorrectly initializing certain objects, and can be exploited when the JavaScript "Windows()" command is used in combination with the "" event.
Computer Terrorism also published proof-of-concept code for an exploit to show how the commands could be used by an attacker.
The change in seriousness of the vulnerability and the publishing of exploit code caused security vendors to raise the alarm. Danish-based vulnerability tracker Secunia, for instance, tagged the bug with its highest-level "Extremely critical" label, and said that it had confirmed the vulnerability on fully-patched versions of Internet Explorer 6.0 running under Windows XP SP2 and Windows 2000 SP4, the most up-to-date editions of those two operating systems.
"Prior to the release of this information, this vulnerability was considered low risk, and was not believed to allow arbitrary code execution," added Symantec in an advisory sent to customers of its DeepSight Threat Management System. "There are no vendor supplied patches available to eliminate this issue."
Symantec also confirmed that the proof-of-concept code works as advertised, "although 100% reliability cannot be demonstrated at this time."
Both Secunia and Symantec recommended that users disable Active scripting until a patch is forthcoming.
To disable Active scripting in IE, users should choose Tools/Internet Options, click the Security tab, click on the Custom Level button, and scroll to the Scripting section. Next, select the Disable radio button next to Active scripting; to close, click Yes.