Internet Explorer Cross-Site Scripting Vulnerability
Paul has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct cross-site scripting attacks.
The vulnerability is caused due to an error in the DHTML Edit ActiveX control when handling the “execScript()” function in certain situations. This can be exploited to execute arbitrary script code in a user’s browser session in context of an arbitrary site.
Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.
Critical: Moderately critical
Impact: Cross Site Scripting
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6
Solution:
Set security level to high for the “Internet” zone (disable ActiveX support).
