Critical Security flaw in IE

[ROM-DOS]

Critical Security flaw in IE

http://www.enn.ie/news.html?code=9654533

Alarm raised over 'critical' IE flaw

Tuesday, November 22 2005

PC users have been hit with yet another critical security flaw that could leave their systems open to exploitation by hackers. 

The Internet Explorer security flaw, which was previously thought to be relatively harmless, exploits a problem with Javascript that could be used to take control of a Windows system. The vulnerability affects users of Internet Explorer versions 5.5 and 6 on XP Service Pack 2, and Internet Explorer 6 running on Windows 2000 SP4.

Users can trigger the vulnerability by visiting a site hosting malicious code; the exploit can then be controlled remotely.

At present, there is no patch for the vulnerability, despite the fact that it has been known since May this year. However, it wasn't considered to be a way to execute code, but simply a way to crash a user's PC or carry out denial of service (DoS) attacks.

"Contrary to popular beliefs, the aforementioned security issue is susceptible to remote, arbitrary code execution, yielding full system access with the privileges of the underlying user," said Cyber Terrorism's security advisory.

Until a patch is released by Microsoft, users can reduce their vulnerability by disabling Javascript in Internet Explorer, or choosing an alternative browser.

However, changing browser may not be the answer to all problems, as alternative browsers increasingly come to the attention of malware writers. Code that could be used to launch attacks on Firefox, Mozilla and Netscape users was published online in September, after a vulnerability in the software was discovered. An updated version of the Firefox and Mozilla Suite software is now available.