Chris posted on this topic here. For those of you that aren't familiar with the latest Internet Explorer issue, last Friday, Microsoft announced a highly critical vulnerability in Internet Explorer.
Microsoft Security Advisory (917077):
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/917077.mspx
The vulnerability involved a maliciously crafted script within HTML, which uses the createTextRange method on radio button, checkbox objects etc. This action crashes IE leaving the system open to a buffer overflow attack and execution of arbitrary code pre-inserted onto the stack.
Attacks could be mounted through (a) drive-by attacks at malicious web pages (b) email containing a url forcing a link to a malicious web page or (c) in HTML email itself. Yesterday, over 200 web sites containing pages exploiting this vulnerability had been discovered. There are probably some email-based exploits on the way to your inbox.
Unless Microsoft provide an out-of-cycle patch to address this issue, the window of vulnerability will remain open until Tuesday, April 11. However, according to this story at vnunet.com, MS may release a fix sooner.
Technorati tag: IE Microsoft Security Advisory
Comment posted by Gregg Eldred03/29/2006 09:38:16 AM
Homepage: http://www.ns-tech.com/blog/geldred.nsf
I saw that on Google News yesterday. That is too wild - a 3rd party creates the patches prior to the official release by MS. I am conflicted on how I feel about that, should you trust the fix if it doesn't come from MS?
BlogSphere V1.3.1
Join The WebLog Revolution at BlogSphere.net