[ISN] eEye issues workaround against unpatched IE flaw

InfoSec News isn at c4i.org
Wed Mar 29 03:35:29 EST 2006


By John Leyden
28th March 2006

Security firm eEye Digital Security has released a temporary fix to 
protect Windows users against an unpatched vulnerability in Internet 

The critical vulnerability, which involves the way IE handles HTML 
Objects, affects even fully patched Windows XP systems. Exploits allow 
hackers to commandeer vulnerable machines by tricking surfers into 
visiting websites containing malicious code.

Users are advised to disable Active Scripting from within Internet 
Explorer as a workaround pending the arrival of a patch from 
Microsoft, expected on Tuesday, 11 April. Disabling Active Scripting 
might prove problematic in some environments, however, so eEye has 
stepped in to fill the breach with a temporary workaround.

"Users can protect themselves by manually making configuration 
changes, but eEye realises that not all organisations can take those 
steps. As a result, organisations should only install this patch if 
they are not able to disable Active Scripting as a means of 
mitigation," eEye cofounder and chief hacking officer Marc Maiffret 

eEye stresses that its workaround shouldn't be seen as a substitute 
for a fully tested patch, but will provide "immediate protection in 
lieu of an available fix". In fact, eEye has engineered the patch to 
automatically remove itself when Microsoft's official patch comes 
through," Maiffret added. ®

More information about the ISN mailing list