Javascript & IE

Rik · Nov 23, 2009, 17:35:43

If you use version 6 or 7 of Microsoft's Internet Explorer browser you should disable the JavaScript function immediately.

Security experts have warned anyone using Internet Explorer 6 or 7 on a Windows XP or Windows Vista PC to take immediate steps to ensure their security.

This is because an exploit for a previously unknown flaw in the browser has been spotted in circulation.

The flaw could enable a hacker to take over a computer if a surfer visited a compromised website using a vulnerable version of the IE browser.

Proof-of-concept code is already circulating on the web, with more exploit code likely to be on the way.

Security firm Symantec advised surfers to disable JavaScript in IE and to ensure their anti-virus definitions were up to date.

"The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into sites, infecting potential visitors," Symantec said in a statement.

You can disable JavaScript in IE7 by going to Tools, Internet Options, click on the Security tab and then click on Custom Level. Scroll down until you find the entry for Scripting, then click on Disable.

In IE6, follow the same instructions, though you are looking for the entry for 'Active scripting' in the Custom Level dialogue box. You will also need to restart your browser for the fix to take effect.

Other versions of Internet Explorer and Windows could also be affected, Symantec warned.

Microsoft has not yet commented on the vulnerability.

somanyholes · Nov 23, 2009, 17:40:34

shame they don't have no script

On a more serious note turning off javascript is going to break a massive amount of sites, I can't believe they have recommended to turn it off. Web security would be so muc better if javascript didnt exist at all, it really is a big gaping hole in browser security.

Glenn · Nov 23, 2009, 17:40:55

Do you have a link please Rik, I'll send it to my desktop admin team?

Rik · Nov 23, 2009, 17:46:31

I don't, I stole it from elsewhere, So.

Noreen · Nov 23, 2009, 17:47:39

Is it the one called "Scripting of Java Applets", Rik?

Rik · Nov 23, 2009, 17:47:56

This is the best I could find:

http://voices.washingtonpost.com/securityfix/2009/11/new_attack_targets_weakness_in.html

Rik · Nov 23, 2009, 17:48:09

Quote from: Noreen on Nov 23, 2009, 17:47:39
Is it the one called "Scripting of Java Applets", Rik?

Possibly.

Glenn · Nov 23, 2009, 17:48:28

http://news.softpedia.com/news/IE7-0-Day-Vulnerability-Published-in-the-Wild-127732.shtml

Sebby · Nov 23, 2009, 18:03:33

Good old IE.

Baz · Nov 23, 2009, 18:06:20

i dont use IE if I can help it but for those that do and are not familiar with Javascript how do you disable it Rik and how long to leave it disabled

Rik · Nov 23, 2009, 18:07:09

QuoteYou can disable JavaScript in IE7 by going to Tools, Internet Options, click on the Security tab and then click on Custom Level. Scroll down until you find the entry for Scripting, then click on Disable.

In IE6, follow the same instructions, though you are looking for the entry for 'Active scripting' in the Custom Level dialogue box. You will also need to restart your browser for the fix to take effect.

Baz. Not sure about IE8.

Baz · Nov 23, 2009, 18:08:37

opps sorry Rik didnt read it all

Rik · Nov 23, 2009, 18:09:33

I know the feeling Baz, I do it all day.

Baz · Nov 23, 2009, 18:10:55

what do they class as a compromised website or is there far too many to mention

Noreen · Nov 23, 2009, 18:11:25

I found this http://www.technipages.com/internet-explorer-7-enabledisable-javascript.html

Rik · Nov 23, 2009, 18:11:51

Thanks, Noreen.

psp83 · Nov 23, 2009, 18:17:12

Quote from: somanyholes on Nov 23, 2009, 17:40:34Web security would be so muc better if javascript didnt exist at all, it really is a big gaping hole in browser security.

Web security would be better if IE didnt exist!

Its not javascript thats in the wrong, its the browser not coded correctly.

somanyholes · Nov 23, 2009, 18:30:05

Quote
Web security would be better if IE didnt exist!

Its not javascript thats in the wrong, its the browser not coded correctly.

xss/csrf dont care what browser your using, javascript/actionscript all lead down the same path.

Noreen · Nov 23, 2009, 18:31:11

I disabled it and found that I couldn't use smilies in posts so I've reset it again.

Rik · Nov 23, 2009, 18:33:04

It would do that, and affect some other forum functions too.

Noreen · Nov 23, 2009, 18:39:14

Possibly doesn't affect Vista, only XP. http://blogs.pcmag.com/securitywatch/2009/11/unpatched_vulnerability_and_ex.php

Noreen · Nov 24, 2009, 17:40:04

Looks as though it does affect Vista.

http://www.microsoft.com/technet/security/advisory/977981.mspx

Rik · Nov 24, 2009, 18:07:51

Nice to see they're really going flat out to fix it, isn't it.

Gary · Nov 24, 2009, 18:36:58

Quote from: Rik on Nov 24, 2009, 18:07:51
Nice to see they're really going flat out to fix it, isn't it.

Makes Windows 7 look tempting for those with XP and Vista, Rik.

Rik · Nov 24, 2009, 18:37:26

Makes a Mac look even more tempting.