Potential Zero Day in IE6 disclosed in Chinese security E-Zine
Wednesday June 25, 2008 at 10:18 am CST
Posted by Yichong Lin
We recently came across this article published in one of the Chinese Security E-zines, called pstzine, which talks about a new zero day Cross Domain Scripting flaw in IE6. This is still unpatched in IE6 as of now but IE7 and FireFox are not vulnerable to this.
The issue is very similar to the “Ghost Page” issues in IE, which was originally raised by security researchers, Manuel Caballero and Fukami at Microsoft Bluehat 2008 , and there were some discussions on this topic on online blogs like GNUCitizen.
We’ve notified Microsoft about this information. Until a patch is available, we advise IE6 users to disable scripting in the browser or upgrade to IE7 to avoid potential exploitation due to the public disclosure of this vulnerability.
June 28th, 2008 at 9:29 pm
[…] which might allow malwares like keyloggers to intrude into your system and cause damage. As per a report published by McAfee, a well known malware removal vendor, an unpatched cross-site scripting bug in IE6 could be used by […]
July 1st, 2008 at 12:02 am
【Microsoft】IE6にゼロデイ脆弱性…
COMPUTERWORLD.jp:IE6にゼロデイ攻撃の危険性――実証コード公開でも修正パッチは配布されずMcAfee Avert Labs Blog:Potential Zero Day in IE6 disclosed in Chinese security E-Zine(英語)IE6にゼロデイ脆弱性がある…