Yesterday, I posted an advisory about another vulnerability in Internet Explorer. Now, an exploit code that takes advantage of this vulnerability has been released, as reported in Security Focus and in SANS Internet Storm Center. This is a zero-day exploit.

Microsoft has already posted a Security Advisory on this, and has made several suggestions on how to mitigate this problem while a patch is being prepared.

The best workaround is to disable ActiveScripting in the meanwhile; you also set the browser to prompt the user before running ActiveScripting, if you don’t want to disable it:

1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.

Since this vulnerability allows for a remote code execution, IE users are advised to be careful about browsing, and to apply the suggested mitigation until a patch is released.