The following article appeared in this morning's Register newsletter.
__________________________

Scripting flaws pose severe risk for IE users

A set of five unpatched scripting vulnerabilities in Internet Explorer creates a mechanism for hackers to compromise targeted PCs.

The vulnerabilities, unearthed by Chinese security researcher Liu Die Yu, enable malicious Web sites and viruses to bypass the security zone settings in IE6. Used in combination, the flaws might be exploited to seize control of vulnerable PCs.

Proof of Concept exploits have been released by Liu Die Yu to validate his warnings.

Microsoft has yet to patch the flaws. But users can protect themselves against the flaws by disabling active scripting or by using an alternative browser.

Thomas Kristensen, CTO of security Web site Secunia, told The Register that the five distinct vulns could used in combination to install executables (viruses, Trojans and porn diallers). Secunia describes the vulnerabilities as "extremely critical".

Despite this, Kristensen warns that Microsoft is unlikely to break its newly instituted monthly release cycle to release a stand-alone IE patch unless a vulnerability was widely exploited. Pending the availability of a patch, Secunia advises all IE users to disable active scripting.

The drawback of this workaround is that with some Web sites certain functions won't work unless scripting is enabled. IE users should define any sites they need to use as trusted so that they can continue to use scripting on those sites alone, Kristensen advised.

Secunia's advisory is HERE

Thank you Solorian, for posting the
very important warning.

How To Disable Active Scripting in Internet Explorer

Many worms and viruses take advantage of flaws in Internet Explorer Active Scripting to execute malicious code on your computer. Some sites require active scripting to function and you may want it on for some. Those sites should be added to your Trusted Sites zone. Follow these steps to disable Active Scripting for untrusted sites.

Difficulty: Average
Time Required: 10 Minutes

Here's How:

1. Click on Tools on the menu bar at the top of Internet Explorer

2. Click on Internet Options from the Tools drop-down menu

3. When Internet Options opens up, click on the Security tab

4. Select the Security Zone you wish to disable Active Scripting for- Internet, Local Intranet or Restricted.

5. Selecting the default level High will automatically disable Active Scripting but may be too restrictive.

6. You may opt to use Medium as a baseline and customize it. Select the Custom Level button.

7. Set Reset Custom Settings to Medium and click the Reset button.

8. Set the options under ActiveX Controls and Plug-ins to Disable.

9. If you encounter sites that require Active Scripting to function you can add them to the Trusted Sites zone.

10. If you encounter sites that contain malicious code you can add them to the Restricted Sites zone.

Tips:

1. Restricted Sites security zone should be set to High

2. Trusted Sites security zone can be set to Medium or Low

3. Local Intranet security zone includes only those sites from your own Intranet so should be safe on Medium or Low

4. Internet security zone should be set to High or Medium with Active Scripting turned off.

Do it to avoid most problems you see at this site!

Abnormal

Report Offensive Follow Up For Removal