Wednesday, September 27, 2006

Microsoft Internet Explorer ActiveX Vulnerability - CERT SA06-270A


US-CERT (The National Computer Emergency Readiness Team) issued the following alert, SA06-270:

Microsoft Internet Explorer ActiveX Vulnerability

Original release date: September 27, 2006
Last revised: --
Source: US-CERT

Systems Affected
  • Microsoft Windows
  • Internet Explorer
Overview

A vulnerability in ActiveX and Internet Explorer could allow an attacker to take control of your computer.

Solution
Microsoft has not yet released an update to address this vulnerability. Until an update is available, consider the following best practices:

Disable ActiveX

Disabling ActiveX will prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in "Securing Your Web Browser" and "Improve the safety of your browsing and e-mail activities."

Do not follow unsolicited links

Do not click on unsolicited URLs, including those received in email, instant messages, web forums, or internet relay chat (IRC) channels.

Description

An attacker could exploit a vulnerability in an ActiveX control by convincing a user to visit a web site with Internet Explorer. The attacker could then take any action as the user, including installing malicious software and accessing sensitive personal information.

For more technical information, see Vulnerability Note VU#753044.

References
  • Securing Your Web Browser -
  • Vulnerability Note VU#753044 -
  • Improve the safety of your browsing and e-mail activities -
  • Microsoft Security Essentials -

  • No comments: