Internet Explorer Hit by Major XSS Bug

Security advice firm Secunia has released information concerning a new flaw with Microsoft's web browser, Internet Explorer.

The exploit allows cross site scripting attacks to be performed on users. In the scenario that Secunia have published, users can follow a link to xyz.com, have xyz.com in the address bar yet have content being fed to the browser from another site. Clicking on the "Pad-lock" SSL icon in the bottom corner of internet explorer also reveals xyz.com.

The problem is caused by "DHTML Edit ActiveX control when handling the "execScript()" function in certain situations. This can be exploited to execute arbitrary script code in a user's browser session in context of an arbitrary site". The issue affects the most recent releases of Internet Explorer 6.0, including Service Pack 2 patched systems. To avoid the exploit affecting you, it's advised that you disable ActiveX. Microsoft have yet to comment or release a patch for the problem.

Other browsers are not affected.

View: Secunia Advisory

Previous Story
Electronic Arts' takeover of DICE on ice
Next Story
Yahoo! Updates Search Features