Unpatched vulnerability in Internet Explorer.
If your operating system supports it, get your hands on IE7 RC1. If your Operating System does not support IE7 then you will need to use one of the workarounds.
The Microsoft Security Advisory can be found here:
Note that the workarounds recommended are:
- a killbit that can be used to prevent the Microsoft DirectAnimation Path ActiveX control from running in Internet Explorer;
- disable Active Scripting (which will break many sites); or
- set Active Scripting to prompt (which you drive you nuts with the constant dialogue boxes);
- Finally, you can modify the Access Control List on Daxctle.ocx to be more restrictive.
My preferred mitigation options, if it is not possible to upgrade to IE7, would be choices 1 or 4 for the time being.
It is, to put it nicely, extremely disappointing that proof of concept code that makes use of the vulnerability has been made public. Such disclosure of vulnerabilities, and publishing code that takes advantage of vulnerabilities, is irresponsible. I wish there was some way to make such sites legally liable for any damage done to systems or networks that would not have occurred were it not for such irresponsible disclosure.