Critical Flaw Targets IE. and How To Fix it

Exploit code for a critical flaw in fully patched versions of Microsoft Corp.'s Internet Explorer browser has been released on the Internet, putting millions of Web surfers at risk of computer hijack attacks. The zero-day exploit, posted by a U.K.-based group called "Computer Terrorism," could allow a remote hacker to take complete control of a Windows system if the victim simply browses to a malicious Web site. A Microsoft spokeswoman acknowledged that customers running Windows 2000 SP4 and Windows XP SP2 were at risk. The Windows Server 2003 and Windows Server 2003 SP1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. "We have also been made aware of proof of concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time but Microsoft will continue to investigating these public reports," the spokeswoman added. The proof-of-concept exploit, which is available from the FrSirt site, currently launched the Windows Calculator (calc.exe) but can be easily modified by malicious hackers. HOW TO FIX IT: Until Microsoft issues an official patch (check windows update) IE USERS:Immediately disable "Active Scripting via the Tools > Internet Options > Security tab > Custom Level feature.