, The Register 2004-06-10
Detailed information on a brace of unpatched vulnerabilities in Internet Explorer has been posted onto a dull disclosure mailing list. The flaws involve a cross-zone scripting vuln and a bug in IE's Local Resource Access and pose an "extremely critical" risk to Windows users, according to security firm Secunia. The vulnerabilities affect both Internet Explorer 6 and Outlook.
The vulnerabilities are actively being exploited in the wild to install adware on users' systems, security researchers warn. Other exploits - include computer viruses - based on the same techniques of tricking users into visiting a maliciously constructed website housing malign script could follow.
Etienne Greeff, director at MIS Corporate Defence Solutions, said: "This is a very sophisticated exploit using encryption and stealth technologies to deliver its payload, using previously unknown vulnerabilities to work."
Windows users should disable Active Scripting support for all but trusted websites until Microsoft releases patches to address the vulnerabilities. The vulnerabilities were publicised by a Dutch 'white hat hacker' called Jelmer, who came across an example of an exploit of the flaws already in circulation last weekend. ®
