 |
Ryan Naraine at PC Magazine:
Microsoft plans to release a pre-patch advisory with workarounds for a “highly critical” vulnerability that could put millions of Internet Explorer users at the mercy of malicious hackers.
The advisory, which will be posted here, acknowledges a code execution hole that was discovered and publicly reported by Secunia Research of Copenhagen, Denmark.
…
“This can be exploited by a malicious Web site to corrupt memory in a way that allows the program flow to be redirected to the heap,” Secunia said in the alert, warning that successful exploitation allows execution of arbitrary code whenever the target visits the rigged Web site.
The advisory has now been posted here. To be completely safe, you need to turn off Active Scripting in IE6 and some betas of IE7. Microsoft is still investigating and will determine later what form a patch will take.
Update: Elinor Mills reports at ZDNet UK at that exploit code is already circulating.
March 27th, 2006 at 10:12 PM
[...] Over the weekend, there were reports of exploits appearing for the drive-by Internet Explorer security hole reported last week. Now they are cropping up in a lot of unexpected places. Brian Krebs at the Washington Post: More than 200 Web sites — many of them belonging to legitimate businesses — have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft’s Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites. [...]
March 28th, 2006 at 10:00 PM
[...] There’s a gaping drive-by Internet Explorer security exploit that cropped up without any prior warning and is now appearing all over the Web. Microsoft unhelpfully says don’t surf in any sleazy areas and we’ll have a patch next month on our regularly scheduled Patch Tuesday. Commentators note that with hacked web servers, exploits are appearing in the nicest neighborhoods and as a result, security companies are coming out with their own patches ([1], [2]) of which Microsoft disapproves. Nonetheless, Microsoft says they may well ship their own patch early if things look really, really serious. [...]