http://www.techweb.com/wire/security/19300...LOSKH0CJUNN2JVN
Exploit code for an unpatched vulnerability in Microsoft's Internet Explorer is circulating, a security company said Friday, but the danger remains low as the current attack only crashes the browser.
Fully-patched Windows XP SP2 and Windows 2000 SP4 systems are open to the new attack, said David Cole, director of Symantec's security response group. "This is proof-of-concept code, we haven't seen any active exploits," said Cole. "Whether it grows into something bigger is heavily linked to if it gets remote code execution [capabilities]," he added.
Microsoft's advice, which included setting the "kill bit" for the ActiveX control to disable it. That, however, requires users to edit the Windows Registry, something many are unprepared to do. In the past, Microsoft's suggestions to set specific kill bits have been taken up by third-party researchers, who have cranked out automated tools for turning off the control.
Another tactic, said Microsoft, is to disable all ActiveX controls in Internet Explorer from the dialog that appears after selecting Tools|Internet Options.
Full Version: Another Reason To Use Firefox
I just got an alert about this from US_CERT (Cyber Security Alert SA06-258A). Potentially this is a serious problem:
"An attacker could exploit a vulnerability in an ActiveX control
by convincing a user to visit a web site with Internet
Explorer. The attacker could then take any action as the user,
including installing malicious software and accessing sensitive
personal information."
Their recommendation, until a patch is eventually issued, is to disable ActiveX, and to not follow any unsolicited links.
Regards,
John
"An attacker could exploit a vulnerability in an ActiveX control
by convincing a user to visit a web site with Internet
Explorer. The attacker could then take any action as the user,
including installing malicious software and accessing sensitive
personal information."
Their recommendation, until a patch is eventually issued, is to disable ActiveX, and to not follow any unsolicited links.
Regards,
John
ZDnet also has reported this along with the common response of ignoring it from Microsoft untill next months 'Patch Tuesday.' Unfortunatly this exploit was discovered 2 days after the last 'Patch Tuesday.' I pointedly dont use IE 6 or IE at all because of the previously failed patches that ended up opening new exploits 
Also, that code was posted on a public form, according to ZDnet.
"The flaw is due to an error in an ActiveX control related to multimedia features and could be exploited by viewing a rigged Web page, Symantec said in an alert sent to users of its DeepSight security intelligence service Thursday. An attacker could commandeer a Windows PC or cause IE to crash, the security company said."
http://news.zdnet.com/2100-1009_22-6115966.html
Also, that code was posted on a public form, according to ZDnet.
"The flaw is due to an error in an ActiveX control related to multimedia features and could be exploited by viewing a rigged Web page, Symantec said in an alert sent to users of its DeepSight security intelligence service Thursday. An attacker could commandeer a Windows PC or cause IE to crash, the security company said."
http://news.zdnet.com/2100-1009_22-6115966.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.