November 21, 2005 -- US-CERT is aware of a vulnerability in the way Microsoft Internet Explorer handles requests to the window() object. If exploited, the vulnerability could allow a remote attacker to execute arbitrary code with the privileges of the user. Additionally, the attacker could also cause IE (or the program using the WebBrowser control) to crash.


Exploit code for this vulnerability is publicly available. We have confirmed that the public exploit is successful on Windows 2000 and Windows XP systems that are fully patched as of November 21, 2005.

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

* VU#887861 - Microsoft Internet Explorer vulnerable to code execution via scripting "window()" object

US-CERT strongly encourages Windows users to implement the following workaround:

* Disable Active scripting by following the instructions at https://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56.

Source: Wired News