A vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0/5.5 and Microsoft Windows XP SP2, and Internet Explorer 6.0 and Microsoft Windows 2000 SP4.
The vulnerability,which can be exploited by malicious people to compromise a user's system, is caused due to certain objects not being initialized correctly when the "window()" function is used in conjunction with the "<body onload>" event. This can be exploited to execute arbitrary code on a vulnerable browser via some specially crafted JavaScript code called directly when a site has been loaded.
*Note* I have personally tested this venerability and found it to be 100% real. It is very easy to exploit remotely.
Recommendations:
1) Use an alternative browser. While other browsers (such as Firefox) will crash when presented with this exploit it will not allow arbitrary code to be executed on your computer.
2) Disable Javascript - WARNING This may cause many websites to stop functioning.
1. Open Internet Explorer.
2. Select Internet Options from the Tools menu.
3. In Internet Options dialog box select the Security tab.
4. Click Custom level button at bottom. The Security settings dialog box will pop up.
5. Under Scripting category disable* Active Scripting, Allow paste options via script and Scripting of Java applets (will be at almost bottom of list)
6. Click OK twice to close out.
7. Close Internet Explorer.
*Note - You can choose Prompt if you want, but this may cause you to be prompted on a lot of site a lot of times.
Unfortunately these are the only two safe things you can do on a Windows system. Contuine to watch MS windows update site as well. |
