Help - Search - Members - Calendar
Full Version: Microsoft Internet Explorer "createtextrange()" Code Execution
BleepingComputer.com > Security > Breaking Virus & Security News
   
Daisuke
Mar 23 2006, 04:04 PM
As expected a new exploit + variants are on the loose.

Affected software: Internet Explorer 6

Solution: use another browser and disable Active Scripting in Internet Explorer.

Help here: Disabling Active Scripting in Internet Explorer
and here: How to Disable Active Content in Internet Explorer

MS will release a patch probably in April.

Details:
Microsoft Internet Explorer "createTextRange()" Code Execution
IE exploit on the loose, going to yellow
Secunia advisory

There are 2 more vulnerabilities in MSIE disclosed this month waiting for a patch. Take care.
Daisuke
Mar 24 2006, 01:50 AM
Microsoft Security Advisory (917077)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution

Workaround
QUOTE(Microsoft)
Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

Set Internet and Local intranet security zone settings to “High” to prompt before Active Scripting in these zones.

Restrict Web sites to only your trusted Web sites.
Security Geek
Mar 26 2006, 09:42 PM
SANS is reporting that this vulneraibility is now being exploited through eMail messages. They advise people to turn off IE Active Scripting or use Firefox (making sure it is the default browser). I would like to add that you should avoid opening any attachment with .HTA, HTM, or HTML extensions until this threat has passed. As always keep your virus signatures as up to date as possible.

Microsoft says they may release a fix for this "out of cycle" (early). They also advise people to visit their Safety.Live.Com website to "scan your machine and remove current attacks using this vulnerability"

I'm posting regular updates on this threat at the NIST.org site linked below. As always please return here to post any comments or questions.
Security Geek
Mar 27 2006, 11:25 PM
Latest Updates:
  • Free fix being offered by the security software company eEye.
  • Exploit now being used to install Spyware
  • SANS is reporting that this vulnerability is being exploited via eMail messages
  • Websense is reporting over 200 websites hosting expoited pages
See NIST.org article 2006-102 for details. Please return here to post comments.
quietman7
Apr 6 2006, 03:47 PM
On 11 April 2006 Microsoft is planning to release:

• Four Microsoft Security Bulletins affecting Microsoft Windows. One of the updates will be a cumulative Internet Explorer update that addresses the publicly known "CreateTextRange" vulnerability.

See Microsoft Security Bulletin Advance Notification
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.