IE HTML objects exploit
From: Brian Smith-Sweeney
Date: March 24, 2006 1:17:31 PM EST
Subject: IE HTML objects exploit
Hello all,
On Wednesday the Secunia group announced they had found a critical
vulnerability in most recent versions of Internet Explorer related to
the handling of HTML objects. Within 24 hours exploit code was made
publicly available. Both SANS and Symantec have bumped up their
Internet threat meters in response to this exploit.
There is currently no patch available for this vulnerability.
Microsoft’s only recommended workaround is to turn off Active Scripting.
Please note that this workaround may break the functionality of some
web sites, including NYUHome. TSS is not advocating the use of this
workaround, but should you choose to do so, we *strongly recommend*
adding http://*.nyu.edu and https://*.nyu.edu to the list of “Trusted”
security zone sites. This should at least preserve functionality for all
NYU sites.
Alternatively you may just want to keep a closer eye on your systems or
consider using a different browser such as Firefox for non-NYU sites
until a patch becomes available.
For more information, please check:
SANS incident report
http://isc.incidents.org/diary.php?storyid=1212
Secunia announcement
http://secunia.com/advisories/18680/
Microsoft confirmation
http://www.microsoft.com/technet/security/advisory/917077.mspx
Microsoft Workaround
http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx
Please let us know if you have any questions.
Cheers,
Brian
–
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Smith-Sweeney Sr. Network Security Analyst
ITS Technology Security Services, New York University
bsmithsweeney@nyu.edu
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~