Of course this code would be executed on the security context of the logged-on user - so if you don't use your Windows computer as an Administrator the risks are minimised - but still there.
This means that an attacker could create a website with some special code, and without warning, just by visiting the page, a series of commands could be executed on the user's computer. This obviously include things such as deleting files, changing configuration even installing malware such as keyloggers or trojan and bot clients.
On its advisory Microsoft says it is completing development of a cumulative security update for Internet Explorer that addresses the “createTextRange” vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the April security updates on 11 April 2006, or sooner.
Really I hope this is sooner than later. Can you imagine an entire army of password stealling, spam bots and other malware, installed without the owner's knowledge?
According to Microsoft, customers who use the Microsoft Internet Explorer 7 Beta 2 Preview that was released on 20 March 2006 are not affected by the public reported vulnerability. also users of other browsers such as Firefox are not being affected by this.
This can not be exploited automatically through e-mail or while viewing e-mail in the preview pane while using Outlook or Outlook Express. Customers would have to click on a link that would take them to a malicious Web site, or open an attachment that could exploit the vulnerability to be at risk.
While Microsoft is working on the fix, security firm eEye has released a patch that will secure things for now, but should be removed before installing the permanent fix coming from Microsoft.
Other related posts:
Windows 8 Mail app not hyperlinking emails
Are we seeing the death of Windows RT?
Windows 8 Consumer Preview
comments powered by Disqus