Slashdot Mirror

← Back to Stories (view on slashdot.org)

Highly Critical Hole Found in IE

Posted by ryuzaki0 on from the must-be-thursday dept.

dotpavan writes "Eweek reports on a highly critical MS Internet Explorer hole found by Secunia Research's Andreas Sandblad. The vulnerability is due to the processing of the "createTextRange()" method call applied on a radio button control. From Secunia, "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2." The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition) though it could be avoided by turning off Active Scripting, as suggested by Microsoft Security Response Center blog. How would this put MS in the market, hit by the ever-growing shots of vulnerabilties? And would the divorce of IE7 from Vista's Windows Explorer help?"

3 of 336 comments (clear)

  1. Not possible. by babbling · · Score: 4, Informative

    Can't... it's required for Windows Update! If you don't update, you're screwed!

    Can't be secure with ActiveX, can't be secure without ActiveX... but what would happen if ActiveX didn't exist?

    1. Re:Not possible. by bedroll · · Score: 5, Informative
      Disable ActiveX in the Internet Zone and add *.windowsupdate.com and *.microsoft.com to your trusted sites.

      ActiveX really should only run from trusted sites anyway.

  2. Re:Safest browser ever available by Beryllium+Sphere(tm) · · Score: 4, Informative

    The only thing funnier than jokes about Lynx vulnerabilities is that there have been real ones. Remote shell access in Lynx, Lynx command injection, Lynx NNTP buffer overflow.

    Maybe the thing to do is to telnet to port 80 and parse the HTML in your head, but then someone will probably find an HTML trick that will drive everyone who reads it insane.