[ISN] Critical IE fix due Tuesday

[InfoSec News]

http://www.theregister.co.uk/2006/04/07/ie_patch_scheduled/

By John Leyden
7th April 2006 

Microsoft has confirmed it plans to release a fix for a serious 
security bug in Internet Explorer next Tuesday (11 April). The fix for 
the "CreateTextRange" vulnerability - which has become the subject of 
hacker exploits over recent days - will be released as a cumulative 
update to Internet Explorer along with four other security bulletins 
(details here [1]).

Late last month, numerous maliciously constructed websites began 
attempting to exploit the "CreateTextRange" vulnerability to install 
Trojans, botnet clients and other forms on malware on victim PCs. This 
malicious activity, together with the lack of an immediate fix from 
Microsoft, prompted two security firms (Determina and eEye Digital 
Security) to each issue standalone patches to mitigate the risk of 
attack. Microsoft advised orgainsations to disable Active Scripting as 
a workaround.

Internet Explorer has become the subject of a number of unpatched
vulnerabilities over recent weeks. In the latest such incident,
security notification firm Secunia warned [2] this week of an
unpatched flaw in IE that might be used to spoof the address bar in a
browser.  Because of this behaviour, the bug might be used to make
phishing attacks more convincing. ®

[1] http://www.microsoft.com/technet/security/bulletin/advance.mspx
[2] http://secunia.com/advisories/19521/