p2pnet.net News:- “Greyhats Security Group is back and we’re ready to kick the crap out of sp2 ,” said Paul on SecurityFocus’ Bugtraq archive, last month.

Now, he’s reporting a security problem in Microsoft’s Internet Explorer browser which allows attackers to build a fake site that looks exactly like a real one.

Or, as Secunia phrases it, the “moderately critical” vulnerability, “can be exploited by malicious people to conduct sophisticated cross-site scripting attacks against any web site”.

The flaw is the result of an error in the DHTML Edit ActiveX control when handling the "execScript()" function in certain situations, says Secunia, going on:

“This can be exploited to execute arbitrary script code in a user’s browser session in context of an arbitrary site.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/

“The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.”

Solution?

Set your security level to high for the "Internet" zone (disable ActiveX support), suggests Secunia.

===================

See:-
real one – Internet Explorer DHTML Edit ActiveX Control Cross-Site Scripting, December 16, 2004

This entry was posted on Sunday, December 19th, 2004 at 3:24 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 4423 times