Viruses, worms, trojans and other stuff

Saturday, November 26, 2005

Microsoft Internet Explorer Extremely Critical Vulnerability

Benjamin Tobias Franz has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to certain objects not being initialized correctly when the "window()" function is used in conjunction with the "<body>" event. This can be exploited to execute arbitrary code on a vulnerable browser via some specially crafted JavaScript code called directly when a site has been loaded.

Example:
<body onload="window();">

Successful exploitation requires that the user is e.g. tricked into visiting a malicious website.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2, and Internet Explorer 6.0 and Microsoft Windows 2000 SP4.

Note: A PoC exploit has been released for this vulnerability.

Solution:
Disable Active Scripting except for trusted sites.

0 Comments:

Post a Comment

<< Home