See your link here

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.

Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Laptops

Toshiba Laptops with Intel® Centrino® Duo. Free Shipping

New Explorer 6 active scripting flaw reported

Microsoft said it is 'aggressively' investigating the reports

Todd R. Weiss Today’s Top Stories

or Other Spam, Malware and Vulnerabilities Stories

November 26, 2003 (Computerworld) -- Security researchers in Denmark are warning users to disable "active scripting" in Microsoft Corp.'s Internet Explorer 6.0 Web browser to prevent attackers from targeting and taking remote control of their PCs.
Niels Rasmussen, CEO of security research company Secunia ApS in Copenhagen, said yesterday that the latest vulnerabilities "allow malicious Web sites and viruses to bypass the security zone settings in Internet Explorer."
The discovery was made by researcher Liu Die Yu, who posted it on public reporting bulletin boards, Rasmussen said. The report said the problem combines "multiple 'minor' vulnerabilities" and "are as simple to exploit as the three-month-old Object Data vulnerability, which was exploited by several spam mails and pornographic Web pages" in recent months, Rasmussen said.
Presently, the only fix is to disable Explorer's active scripting so that the feature can't be used to attack the machine, according to Secunia. Other browsers that don't have the feature, such as Netscape Navigator, Mozilla or Opera, can be used without fear of attacks.
Art Manion, an Internet security analyst at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, confirmed that his testing of the reported vulnerability showed that at least one of the reported problems can be duplicated on an Explorer 6 machine that has already been fully patched with existing Microsoft updates, meaning that the vulnerability does exist.
Manion said the problem is a "cross-domain scripting vulnerability," which incorrectly allows a script from one Web site to run on another domain when using Explorer 6. That means an attacker could potentially access data on a victim's PC, he said.
CERT has posted instructions on how to disable active scripting in Explorer 6 to protect users from attacks until a fix is found.
Debby Fry Wilson, director of the security business unit at Microsoft, said in a statement last night that the company is "investigating new public reports of possible vulnerabilities in Internet Explorer," based on the latest postings. "We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports."
If the flaw is confirmed, Microsoft "will take the appropriate action to protect our customers, which may include providing a fix through our monthly patch release process or an out-of-cycle patch, depending on customer needs," she said.
Microsoft released Microsoft Security Bulletin MS03-048 on Nov. 11, which provided a cumulative patch for Internet Explorer, Wilson said. "We continue to encourage customers to install this security update -- and to follow our 'Protect Your PC' guidance of enabling a firewall, getting software updates and installing antivirus software."
Wilson also said Microsoft is concerned that the latest vulnerability reports weren't sent to the company before being made public, giving attackers time to use it for new attacks on users.
Reports of the vulnerabilities "were not disclosed responsibly, potentially putting computer users at risk," she said. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality patches for security vulnerabilities, with no exposure to malicious attackers while the patch is being developed."

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"Yes, NASA has confirmed that some laptops taken to the International Space Station were infected with an online-gaming password stealing..." Read more...

"Linux is more secure than most operating systems, but Not if you don't practice basic security measures..." Read more...

Read more Security posts or See all Blogs

	Cellular operators say they're ready for Gustav
	Psystar calls Apple a 'monopoly' in antitrust charges
	Doubt cast on Seinfeld as Windows TV ads near
	More top stories...

	IT workers hit hardest by offshore outsourcing, survey finds
	Microsoft: No more Windows Live Mail crashes with IE8 Beta 2
	Microsoft warns of IE8 lock-in with XP SP3

Telecommuting: 6 questions to ask before you say yes

Telework can change office dynamics in ways you hadn't anticipated. Proceed cautiously.

Wi-Fi tweaks for speed freaks

Got a painfully slow connection or random dead spots? Our tips will help you get the most out of your wireless network.

5 ways to drive your best workers out the door

Listen up, managers: Employees don't quit the job; they quit you.

Ultraportable laptops: Their rise and possible fall

Netbooks, ultraportables, mini-notebooks — whatever you call them, they've been grabbing headlines. Are they here for the long term or just a flash in the pan?

Windows Vista A to Z

Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.

IT Careers 2010

Four years from now, the IT field will be a vastly different place. Will you be ready?

All Zones
Application Performance Zone
Business Continuity Zone
The File Data Management Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Business Intelligence and Analytics Zone
Windows Protection Zone
Identity & Security Management Zone

See your link here

From Laggard to Leader: Transforming the Data Center

From Laggard to Leader: Transforming the Data Center
Register for this complimentary live webcast today!

Go to the webcast

Managing Mobile Data with Endpoint Security for Laptops

Download this white paper now, compliments of Computerworld and Absolute Software.
(Source: Absolute Software) A NetworkWorld survey of IT professionals found that only 1 in 100 employees consistently follow data security policy. This paper outlines endpoint security for laptops that restricts data access beyond encryption to safeguard against insider threats and user error.Read this whitepaper to learn lessons from recent data breaches, limitations of traditional data security, and how to remotely wipe out data and monitor computers that go off the network.

Download this executive briefing

Top 10 Reasons to Upgrade

Get this white paper now!
(Source: Symantec) Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.

Download this white paper

White Papers

Read up on the latest ideas and technologies from companies that sell hardware, software and services.

	Archiving Compliance with Sunbelt Exchange Archiver
	The Impact of Messaging and Web Threats
	Advanced Load Balancing: 8 Things You Need to Handle Today's Network Traffic

View more whitepapers

XenServer FREE trial
Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration.

Request free trial now

SQL Anywhere Developer Edition Download

SQL Anywhere is the industry-leading mobile and embedded database. Designed for database-powered applications that operate in frontline environments without onsite IT support, SQL Anywhere offers enterprise-caliber features in a database that is easily embedded and widely deployed in server, desktop, remote office and mobile applications.

Download the free SQL Anywhere Developer Edition

Sponsored Links

The Secure Web Gateway. Mission Critical For Business - Webcast

Join Tech OnTap: NetApp's monthly technical newsletter.

HP Color LaserJet CP4005n printer. Now $899. SHOP NOW

JBoss Application Platform on Dell Servers. Learn more.

Ever been to a virtual conference? Introducing Storage Networking World Online!

Instant server virtualization. Free download!

Microsoft System Center - Designed for Big

Renowned Engineering Institution Chooses AMD Processor-Based Servers

WHITEPAPER: IT Users Discuss New Ways to Protect Enterprise Data

Get Extreme Storage for Extreme Business with HP.

Save up to 62% plus 2 FREE Gifts from Omaha Steaks.

HP LaserJet P4014n printer Starting at $699 after $100 IS.

BigFix - Before all Hell breaks loose on your network!

Learn about the software-based VoIP solution from Microsoft.

Kodak i600: Easy on your operators and your bottom line. Learn more about the i600 now.

Virtual Event: Data Center Directions -- Navigating a Sea of Change in Server Technologies and Trends

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

"The Definitive Guide to Security Management" Chapter 1: Introduction to Security Management

Defy the laws of reporting - introducing Crystal Reports(R) 2008. Discover it now.

Meet Windows Server 2008. The server unleashed.

Web Hosting UK - Cheap Windows Linux PHP MySQL ASP MSSQL Hosting in UK

Beyond consolidation: five reasons why you should start virtualizing

How-to video: Smart steps to efficient power management

Listen to Industry Experts and Engage with Top Visionaries at SNWOnline

Quit using costly software. Add to your bottom line. See how.

Thompson Cigars: Fine Hand Rolled Cigars only $19.95 and includes Free Shipping:

Meet Windows Server 2008. The server unleashed.

Make data protection more efficient with NetBackup.

Empower your business with adaptive networks. Visit the IDG Building the Adaptive Network site, sponsored by ProCurve Networking by HP.

Microsoft Forefront makes defending your systems easier. Learn how at easyeasier.com

Go Green Without Sacrificing Server Performance

Rushed? Work Less. Deliver More. Crystal Reports(R) Server 2008. Try it now

64-Page prescriptive guide to security, compliance, and IT operations.

Intercept Spam & Viruses With MessageLabs

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Learn how to make the most of your IT investments in this live webcast.

Migrating from ERwin®toPowerDesigner® by Sybase

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDG Connect

IDG World Expo

Infoworld

The Industry Standard

ITworld

JavaWorld

LinuxWorld

MacUser

Macworld

Network World

PC World

Playlist

Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

	Virus and Vulnerability Roundup
	Finance
	Security
	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

BONUS LINKS

New Explorer 6 active scripting flaw reported

Sponsored Links