Staff: By exploiting the way Windows HTML Objects handle bogus method calls, an attacker can take over your computer. And all you need to do is browse the evil website with Internet Explorer on any version of Windows after Windows 98.

Remember… To win this brass ring you must visit the evil website. While the attacker can offer an embedded email link to trick you into going to the site, this vulnerability cannot be activated without an actual visit.

That’s why Microsoft says your Number One defense is avoiding evil websites… especially since there is no cure for this ailment.

But since the attacker can do no more damage than the available user rights allow, you can avoid a heap o’ trouble by installing Microsoft’s free DropMyRights wrapper for your browser… any browser.

Email Battles reviewed DropMyRights in Security Fix: Firefox, IE, Opera, Outlook & other Browsers & Email Clients. That was back in January 2006, and we’re still enthusiastic users. Never browse the Internet as Administrator.

In addition, you can force Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone, which will break a few inconsequential sites, like banking and e-commerce.

No mention of whether this vulnerability affects Opera or Firefox.

Full Story »