Internet Explorer - Two new critical vulnerabilities in the wild

This new bulletin advises to "Disable Active Scripting support for all but trusted web sites"

SA11793: Internet Explorer Local Resource Access and Cross-Zone Scripting Vulnerabilities

http://secunia.com/advisories/11793/

http://slashdot.org/articles/04/06/09/116237.shtml

http://www.computerworld.com.au/index.php?id=117316298&eid=-255

Secunia Advisory: SA11793  (2004-06-08)

Critical:     Extremely critical

Impact: Security Bypass and System access

Two vulnerabilities have been reported in Internet Explorer, which in combination with other known issues can be exploited by malicious people to compromise a user's system.
1) A variant of the "Location:" local resource access vulnerability can be exploited via a specially crafted URL in the "Location:" HTTP header to open local files.

2) A cross-zone scripting error can be exploited to execute files in the "Local Machine" security zone.

Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0. It has been reported that the preliminary SP2 prevents exploitation by denying access.

Successful exploitation requires that a user can be tricked into following a link or view a malicious HTML document.  The vulnerabilities are actively being exploited in the wild to install adware on users' systems

Solution: Disable Active Scripting support for all but trusted web sites.