Thursday, March 30, 2006

createTextRange vulnerability in IE: Disable Active scripting or use another browser

The flaw is caused by how Internet Explorer handles createTextRange tags, and could let malicious software run and install itself. Microsoft has not yet offered a patch, though it should be on the April 11 updates. Numerous websites have been identified that exploit the vulnerability. In a recent article from CNet it is reported that e-mail spams containing excerpts of BBC stories are being sent out, and readers are redirected to forged BBC webpages. Once the infected site is visited, a keylogger is pushed into the system, and user information like usernames and passwords are captured and collected.

Until the patch is released, users of Internet Explorer could do the following:

Disable active scripting:

  1. On the IE browser, click on Tools and select Internet Options
  2. .
  3. Click on the Security tab, click on Internet and then select Custom Level
  4. On the Security settings look for Scripting. Set Active Scripting to either Disable or Prompt. Click OK.
  5. Now back to the Internet Options, Click Local intranet, and then Custom Level. Repeat step no. 3.

Download and Use another browser :

Use Firefox or Opera as your browser.

Update:

Microsoft has released a cumulative patch for IE, which is found in the Microsoft Security Bulletin. Together with the April 11 IE updates are patches for MDAC, Outlook Express and Frontpage.

No comments: