<< Firefox on New York Times | Home | Business Intelligence Portal Sample Application for Microsoft Office >>

New Spoofing Vulnerability for IE

Secunia has published a new spoofing vulnerability that affects Internet Explorer (also IE6 with SP2 is affected).

The vulnerability is caused due to an error in the DHTML Edit ActiveX control when handling the "execScript()" function in certain situations. This can be exploited to execute arbitrary script code in a user's browser session in context of an arbitrary site.

A test, which can be used to check if your browser is affected by this issue, is available at this address:
http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/

Solutions? For the moment, only the "do it yourself" actions: disable ActiveX support.

Print | posted on Friday, December 17, 2004 12:42 AM

Comments on this post

# New Spoofing Vulnerability for IE

Requesting Gravatar...
Left by Di .NET e di altre amenita' on Dec 16, 2004 5:28 PM

# re: New Spoofing Vulnerability for IE

Requesting Gravatar...
Actually, there's another option.

I just followed your link to the secunia site, and performed the test. I wasn't vulnerable.

The interesting thing is what it is that protected me (I do have activex turned on). The google toolbar's popup blocker All IE instances I had open were locked up, and the popup block count that is displayed on the toolbar was increasing at about 1 popup blocked per second, but I wasn't hit. I'd much prefer this behaviour than the alternative!

I turned the google popup blocker off and ran the test again (but left the IE XP SP2 popup blocker on) and was hit with the vulnerability.

I'd be interested to know how the other popup blockers handle it
Left by Geoff Appleby on Dec 17, 2004 2:34 AM

# re: New Spoofing Vulnerability for IE

Requesting Gravatar...
I forgot to say - once i closed the test page that was trying to exploit me, the other locked up IE instances were responsive and happy once again
Left by Geoff Appleby on Dec 17, 2004 2:35 AM

# re: New Spoofing Vulnerability for IE

Requesting Gravatar...
Thanks Geoff, here at work I don't have the Google Toolbar installed so I was vulnerable... interesting to know that. Thanks for your feedback
Left by Stefano Demiliani on Dec 17, 2004 4:49 AM

# New Spoofing Vulnerability for IE

Requesting Gravatar...
Left by Di .NET e di altre amenita' on Dec 16, 2004 10:52 PM

Your comment:

 (will show your gravatar)
 
Please add 3 and 4 and type the answer here: