Sunday, March 26, 2006

Another dangerous zero-day IE exploit on the loose.

The unpatched CreateTextRange vulnerability in Internet Explorer is already being used by at least one Web site to install spyware on users' machines. Disclosed only Wednesday, the flaw in IE 5.01, 6.0, and the January version of IE 7 Beta 2 Preview has security vendors worried because a patch isn't available from Microsoft. Thursday, as news circulated that a working exploit had been publicly posted, Microsoft said it was working on a fix. Even before the site exploiting the CreateTextRange bug was discovered, several other security companies had raised alarms. It reminds me at the Windows Metafile fiasco in late December, when another "zero-day" flaw hit Windows users.
Disable IE's active scripting or switch to any other browser which is not using this... or try to find out if your AV package is able to counter this exploit.