Extremely Critical IE6/SP2 Exploit Found

Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"

Now we use IE6 and XP only for banking

[Green+Salad]

It was mandatory for us to switch to Mozilla. Problem is all our financial vendors make use of Active-X.

Result: Now we use Mozilla for casual browsing and use insecure products only when conducting important business!

Re:Heh

[Owndapan]

The exploit worked on my fully patched WinXP SP2 box, running EZ Firewall/Antivirus suite, and running as a non-admin user.

I think this exploit deserves a bit more attention than "serves clueless n00bs right". Although to be fair my default browser (FireFox) was unaffected ;)

What did Microsoft do to SP2

[Nuskrad]

I'm running XPSP1 with all critical updates installed. To get the exploit to run with IE on my computer I have to manually change the security level to low, allow an unsigned ActiveX control to run when it warns me I shouldn't, and confirm the overwriting of files. What the hell did Microsoft do in SP2 to make it vunerable?