Bill Stout wrote: > http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be > ing.html > "This exploit can be mitigated by turning off Javascripting. > > Update: Turning off Javascripting is no longer a valid mitigation. ... Well, to pick a nit, the Sunbelt blog entry is correct -- the specific exploit they were talking about does requires scripting. What you are referring to is that the suggested workaround to block that _exploit_ does not mitigate the _vulnerability_ that that same exploit takes advantage of, and you are correct. The vulnerability can be (and has been since, both in PoC and in the wild IIRC) exploited with plain (??) "VML HTML" -- that is, without using scripting. > ... A > valid mitigation is unregistering the VML dll. " Much as a valid mitigation for a snake bite mid-calf is (swift) amputation below the knee... 8-) If you'd like to keep using your lower leg -- I mean, VML in IE and other apps -- you might consider the third-party, unsupported, use-at- your-own-risk ZERT patch, which mitigates the vulnerability while leaving VML functionality available: http://isotf.org/zert/ Seriously though, if we were all a little more careful about our use of terminology, this should all have been rather clear from the start. Regards, Nick FitzGerald