Computing in the real world
SEARCH FOR: IN: Advanced Search
Guest  Level 00    Register Log in

News 

[PSUs]
Wednesday 30th November 2005
JavaScript flaw returns to threaten Internet Explorer 12:15PM, Wednesday 30th November 2005
Microsoft is warning customers that it knows of malicious software being used to exploit a security hole in Internet Explorer, which is as yet unpatched.

Stephen Toulouse from Microsoft's Security Response Center posted on the company blog that 'I wanted to go ahead and let you know some breaking information. We've been made aware that there has been some malicious software exploiting the recently publicly disclosed Internet Explorer vulnerability ... you can visit Windows Live Safety Center if you think you might be infected as a result of this vulnerability. We encourage you to use the Complete Scan option to check for and remove this malicious software. Know that the IE team is hard at work on an update, and we will continue to investigate these public reports.'

The vulnerability was first announced in May, but recently proof of concept code was made available that demonstrated how the security flaw could be exploited via JavaScript functions to feed in and execute malicious code remotely.

In order to do this successfully, an attacker would have to persuade a victim to visit a malicious website, but despite this slight mitigation, the risk posed by the problem has consequently escalated. Secunia now rates it as 'Extremely critical' - its highest warning level.

The vulnerability affects pretty much every version of Windows, from 98 to XP SP2, and potentially Windows Server 2003 systems if the 'Enhanced Security Configuration' option has been turned off (although by default it is enabled).

Microsoft is somewhat miffed at the public disclosure of the proof of concept code before it had time to come up with a patch. The escalation of the danger posed by this hole was only announced little more than a week ago, and Microsoft is now trying to juggle building a patch as quickly as possible with taking the time to ensure the patch is stable and doesn't cause other problems.

'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed,' it says.

Anyone who suspects they might have been affected by the malicious code is advised to visit the Windows Live Safety Center and run a complete scan.
Matt Whipp

Submit to: Digg  |  Slashdot  |  Del.icio.us  |  Technorati

Related News


Sponsored Links
IT Careers and Training at Computeach
Typical IT salary in the UK is £39K. Get fantastic IT training to find a career in IT. Apply today.
Buy Microsoft on eBay
Software: great savings. Feed your passion on eBay.co.uk.
Microsoft Wireless Entertainment Desktop 8000
Tastatur/Maus, BlueTooth, Kabellos
Microsoft Wireless Optical Desktop 1000 Black
Tastatur/Maus, PS/2/USB, Kabellos
Back to top
Microsoft Offers
IT Careers and Training at Computeach
Typical IT salary in the UK is £39K. Get fantastic IT training to find a career in IT. Apply today.
www.Computeach.co.uk
Buy Microsoft on eBay
Software: great savings. Feed your passion on eBay.co.uk.
www.ebay.co.uk
Microsoft Wireless Entertainment Desktop 8000
Tastatur/Maus, BlueTooth, Kabellos
notebooksbilliger
Microsoft Wireless Optical Desktop 1000 Black
Tastatur/Maus, PS/2/USB, Kabellos
monbeck
Compare Broadband
Broadband?
Compare 50+ packages
Enter your postcode below:
Powered by:
Top 10 Broadband
› See more News
› See more Hot topics

Columns

Prolog:

Tim Danton wonders whether it's wrong to fall in love with a USB dongle... › See full Opinion
› See more Columns
›  See more Research Papers