Active Scripting security flaw in IE (Internet Explorer)
(old NEWS - Just documenting the last few security issues for posterity)
KB905915 addresses this bug.
MSRC number: MS05-054
Hi all;
As I’m sure my buddy Bill already knows too, this past Monday afternoon (nov. 21), a new software flaw has been exploited in Internet Explorer (IE).
It is actually an old, known flaw, but the nature of the flaw is different than initially thought (worse).
The flaw is a problem in the JavaScript component in IE (MS calls it “Active Scripting”) and is not yet patched by Microsoft.
The problem is that some “proof of concept” program code which takes advantage of the flaw (what we call an exploit) has been released which will allow malicious code writers (writers of things like viruses, spyware, etc.) to easily adapt the code for attacking computers.
To prevent any new, as-yet-unknown exploits from being able to exploit this flaw, either do not use IE in the meantime or disable “Active Scripting” in IE. However, doign the latter will also prevent many legitimate web applications from functioning correctly since it simply prevents all JavaScript from running on IE. But, I wanted to make sure that you all knew about it going into Thanksgiving weekend.
The hope is that MS will soon publish a fix for the problem, at which point you should update your computers (via Windows Update website). The other “first line of defense” is virus protection, which hopefully can stay ahead of the curve of new viruses that might take advantage of this as-yet-unpatched flaw.My recommendation in the interim: If you usually use IE, use Opera (8.51) or Firefox (1.5x) instead until a patch comes out for this flaw… Or, just stop using IE altogether (like me ;-)
And/Or manually disable Active Scripting for your Internet Zone as follows:
If you MUST use IE, then in IE, choose:
- Tools-Internet Options-Security tab
- Internet Zone
- Custom Level
- Scroll down, almost to the bottom and find Scripting/Active Scripting and choose Disable radio button
But, please note that many websites use JavaScript for functionality and this setting will prevent that functionality from working properly (using another browser for the site is the easiest thing). A workaround for THAT (again, if you must use IE for the site) is to place specific sites into your Trusted Sites list in the meantime (if you want more info about that, please let me know).
If you use Firefox, I highly recommend the NoScript plug-in extension. It is highly functional, easier to use than the Trusted Sites model in IE, and keeps you safe and sound using default settings. I suggest, once installed, that you use the “Temporarily enable” function on ‘one-of’ sites that require it… and only then if it is really needed. And if after using it for a while and it works for you, please donate a few Paypal bucks for them to encourage continual development.
While on the topic… the other Firefox add-ons I highly recommend are: Adblock, Fasterfox, and del.icio.us.
Happy (friggin) Thanksgiving (no rest for the wicked, or those of us trying to combat the wicked, or both).
_____________________________________________________________KevFrey
. . . . . .. . . . . .
Leave a Reply
You must be logged in to post a comment.