Sadly, the attacks include code execution capability if you happen upon a malicious, or compromised, site. The advisory seems to spell out that the code execution would run within the context of the logged-in user, so if you're following best practice and not using an elevated privilege account for general browsing, you would be in better shape than if you were operating under elevated or administrator privileges. We all know that's a big no-no. There doesn't appear to be any privilege escalation component to the current attacks.
Microsoft is recommending that we all set the killbits on the affected controls, including on platforms not listed as vulnerable, such as Vista and 2008 Server. This tells me that they are not double-dog certain that similar vulnerabilities or differently-crafted exploits wouldn't be trouble.
Apparently there are no "by-design" Internet Explorer uses for this control, but if you're in an enterprise environment, you may want to check and see which apps might need the control to operate before you drop a script-bomb to change killbits everywhere.
No comments:
Post a Comment
Please tell me what you think.