[ISN] eEye issues workaround against unpatched IE flaw
InfoSec News
isn at c4i.org
Wed Mar 29 03:35:29 EST 2006
http://www.theregister.co.uk/2006/03/28/eeye_ie_workaround/
By John Leyden
28th March 2006
Security firm eEye Digital Security has released a temporary fix to
protect Windows users against an unpatched vulnerability in Internet
Explorer.
The critical vulnerability, which involves the way IE handles HTML
Objects, affects even fully patched Windows XP systems. Exploits allow
hackers to commandeer vulnerable machines by tricking surfers into
visiting websites containing malicious code.
Users are advised to disable Active Scripting from within Internet
Explorer as a workaround pending the arrival of a patch from
Microsoft, expected on Tuesday, 11 April. Disabling Active Scripting
might prove problematic in some environments, however, so eEye has
stepped in to fill the breach with a temporary workaround.
"Users can protect themselves by manually making configuration
changes, but eEye realises that not all organisations can take those
steps. As a result, organisations should only install this patch if
they are not able to disable Active Scripting as a means of
mitigation," eEye cofounder and chief hacking officer Marc Maiffret
said.
eEye stresses that its workaround shouldn't be seen as a substitute
for a fully tested patch, but will provide "immediate protection in
lieu of an available fix". In fact, eEye has engineered the patch to
automatically remove itself when Microsoft's official patch comes
through," Maiffret added. ®
More information about the ISN
mailing list