Internet Explorer Exploit

According to SANS: The UK group "Computer Terrorism" released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration. The bug uses a problem in the javascript 'Window()' function, if run from 'onload'. 'onload' is an argument to the HTML body tag, and is used to execute javascript as the page loads. Impact: Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe). Mitigation: Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion 'noscript' can be used to easily allow Javascript for selected sites only.