|
CRITICAL:
Extremely critical
REMOTE EXPLORATION:
Yes
DESCRIPTION:
A new vulnerability has been identified in Microsoft
Internet Explorer. When MS IE employs the createTextRange()
DHTML method, IE fails to correctly handle the method and can
allow a remote, unauthenticated attacker to execute arbitrary
code.
According to Microsoft:
Dynamic HTML (DHTML) is built on an object model
that extends the traditional static HTML document which
enables Web authors to create more engaging and interactive
Web pages.
createTextRange(), which causes the vulnerability, is a
DHTML method of the TextRange DHTML method.
It has been confirmed that a fully patched Microsoft XP
SP2 with IE 6.0/ IE 7.0 Beta 2 Preview is affected by this
vulnerability. Because of this critical vulnerability, BSST
(Broadweb Security Service Team) has raised the threat level
of the threat indicator to level 2.
SOLUTION:
- Turn off the Active Scripting, since known attack
vectors for this vulnerability require Active Scripting to
be enabled.
- Broadweb BSST has been watching exploits for this
vulnerability and will release signatures anytime. Customers
of Broadweb are advised to watch pattern release notices
from Broadweb and keep their patterns up-to-date.
CREDIT:
This issue was reported by Andreas Sandblad of Secunia
Researcha
About BSST
Broadweb Security Service Team (BSST) - Empower Your
Network Security Broadweb NetKeeper Intruder Prevention System
delivers the protection against intrusion, worms, DDOS,
Instant messaging, P2P, Web-Mail, and Web
Post. | 