Risk: Medium
Detailed information on unpatched vulnerabilities in Internet Explorer has been posted onto a rather "out of the way" disclosure mailing list. The flaws involve a cross-zone scripting vulnerability and a bug in IE's Local Resource Access and pose an "extremely critical" risk to Windows users, according to security firm Secunia. The vulnerabilities affect both Internet Explorer 6 and Outlook.
It has been confirmed that the vulnerabilities exist in a fully patched system with Internet Explorer 6.0. Improved security features in the XP SP2 reportedly block exploitation but users would be ill advised to rely on beta code for protection. SP2 doesn't help users of earlier versions of Windows, who are also at risk.
The vulnerabilities are actively being exploited in the wild to install adware on users' systems, security researchers warn. Other exploits - including computer viruses - based on the same techniques of tricking users into visiting a maliciously constructed web site housing malign script could follow.
The exploit is fairly sophisticated, with it using both encryption and stealth technologies to deliver its payload. To operate it also uses vulnerabilities that were previously unknown.
Windows users should disable Active Scripting support for all but trusted web sites until Microsoft releases patches to address the vulnerabilities. The vulnerabilities were publicised by a Dutch 'white hat hacker' called Jelmer, who came across an example of an exploit of the flaws already in circulation.