, The Register 2004-07-05
Last Friday, Microsoft rolled out configuration changes to the Windows XP, Windows Server 2003 and Windows 2000 designed to protect against the Download.Ject attack as a workaround prior to the availability of patches. But postings to the insecure.org full disclosure mailing list over the weekend provide evidence that a slightly modified exploit can still yield full system compromise even on systems that have applied the workaround.
Users are advised to disable Active Scripting, except for trusted websites, as a precaution, until Microsoft comes out with a fix. Alternative browsers such as Mozilla, Opera or Netscape - which are not subject to this IE-specific attack - remain a much safer option. ®