Suggest A Fix PC Support Forums > MS Patch Available: IE Diminishes Cross-Site Scrip

Full Version: MS Patch Available: IE Diminishes Cross-Site Scrip

Suggest A Fix PC Support Forums > Security > Security News and Warnings

73-997563179

Oct 22 2001, 09:47 AM

IE on Windows, all versions believed to be vulnerable; The following versions were tested: 4.72.3612.1713 (SP2; 3283), 5.00.3315.1000 (SP2), 5.50.4522.1800, 6.0.2600.0000.

A malicious web page in a user's Restricted security zone could cause Javascript to be executed in the Internet security zone, circumventing Restricted zone protections.

There is no official fix from Microsoft at this time, the author recommends disabling scripting in the Internet Zone under Security. According to the author, "Web Sites that accept user-submitted content *must* filter out about: URLs just as they should filter out 'javascript:' and 'vbscript:' ones.*** It's probably a good idea to disallow all protocol not known-good (http[s], ftp, etc.) as there may be other protocols which present a risk."

Reported by : "Clover Andrew"

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.