March 30, 2006
Disable IE's Active Scripting To Protect Against Bug
While users
wait for Microsoft to
patch the most recent zero-day
vulnerability in Internet Explorer, security experts agree that the best way to protect PCs is to dump the browser's Active Scripting function.
Even eEye Digital Security, one of two commercial security vendors that has released unsanctioned, temporary patches for the problem, said so.
"Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation," eEye warned in the advisory accompanying the patch.
Microsoft's preferred workaround for the createTextRange bug is to disable Active Scripting so as to bar any JavaScript code from running. In fact, this isn't the first time that Microsoft has urged users to switch off Active Scripting; in early December, it used the same advice when another unpatched vulnerability was wreaking havoc.
Here's how to turn off Active Scripting:
-- In Internet Explorer, click Internet Options on the Tools menu.
-- Click the Security tab.
-- Click Internet, and then click Custom Level.
-- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK.
-- Click Local intranet, and then click Custom Level.
-- Under Settings, in the Scripting section, under Active Scripting, click Disable, and then click OK.
-- Click OK two times to return to Internet Explorer.
Doing so, however, will break some sites and/or functions within sites, as Microsoft itself warned in the security advisory posted last week and updated Wednesday.
"Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly," the advisory went. "If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly."
39%
22%
17%
12%
10%
