18 replies to this topic

[AplusWebMaster]

FYI...

- http://www.techweb.c..._section=700028
March 30, 2006
"While users wait for Microsoft to patch the most recent zero-day vulnerability in Internet Explorer, security experts agree that the best way to protect PCs is to dump the browser's Active Scripting function. Even eEye Digital Security, one of two commercial security vendors that has released unsanctioned, temporary patches for the problem, said so. "Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation," eEye warned in the advisory accompanying the patch. Microsoft's preferred workaround for the createTextRange bug is to disable Active Scripting so as to bar any JavaScript code from running. In fact, this isn't the first time that Microsoft has urged users to switch off Active Scripting; in early December, it used the same advice when another unpatched vulnerability was wreaking havoc.

Here's how to turn off Active Scripting:
-- In Internet Explorer, click Internet Options on the Tools menu.
-- Click the Security tab.
-- Click Internet, and then click Custom Level.
-- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK.
-- Click Local intranet, and then click Custom Level.
-- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK.
-- Click OK two times to return to Internet Explorer.

Doing so, however, will break some sites and/or functions within sites, as Microsoft itself warned in the security advisory posted last week and updated Wednesday. "Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly," the advisory went. "If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly."

[AplusWebMaster]

FYI...

- http://isc.sans.org/...hp?storyid=1228
Last Updated: 2006-03-30 21:46:03 UTC
"...UPDATE 1: Some readers have written in to express their unhappiness that the non-security-related patch done for legal reasons is being released with the fix for the zero-day IE flaw. I agree. I don't like to see them together either. Consider your complaint on that registered with the ISC, not that we can do anything about it."

[AplusWebMaster]

FYI...

Optimized IE Exploit Speeds Up Infection
- http://www.techweb.c...urity/184417612
March 31, 2006
"A new twist on the existing exploit of Internet Explorer's zero-day vulnerability has slashed the time it takes to compromise a computer, a security company claimed Friday. According to Sunnyvale, Calif.-based Fortinet, the exploit -- dubbed "JS/CreateTextRange.B" to differentiate it from the original -- takes much less time to execute... The change could be significant, since the one exploit now in circulation takes 5 to 10 seconds to execute, said Dan Hubbard, senior director of security and research at Websense... Speeding up the infection could cause fewer users to close IE, and lead to more machines falling under the sway of spyware and keyloggers. As of mid-afternoon Friday, Microsoft had not pushed out a patch for the IE flaw, but users had other options to defend themselves, including disabling the browser's Active Scripting feature, installing one of two third-party fixes, or switching to another Web browser, such as Firefox."

- http://tinyurl.com/qzewq
"JS/CreateTextRange.B!exploit
Visible Symptoms
* A system message warning the user that Virtual Memory is running out may pop up from the tray bar - this is due to an increase of VM used by Internet Explorer.
* Upon viewing a Trojanized webpage, arbitrary code could execute, ranging from simple denial of service to Internet Explorer to shell code allowing access to the victimized system..."

[AplusWebMaster]

FYI...

- http://blogs.technet.../06/424519.aspx
Published Thursday, April 06, 2006 7:14 PM
"...This coming Tuesday, the 11th, we’re planning to release five security bulletins, 4 for Windows and 1 that affects both Windows and Office. One of the Windows bulletins will be the cumulative Internet Explorer update that will address the "CreateTextRange" vulnerability..."

.