A second exploit for the zero-day security hole in Internet Explorer 7 has appeared,
that also makes Windows Vista SP1 bite the dust.
The vulnerability is mainly used throughout China
to steal password for online games,
but security experts fear the situation may soon worsen.
I don’t know if IE7 is anything like IE6 in that you can’t just disable javascript, but you have to disable active scripting which includes more than just javascript.
For the moment, and that is until this hole will be patched, and it is a tricky one, that is for sure, Microsoft’s own advise is to enable DEP in IE:
Local Administrators can control DEP/NX by running Internet Explorer as an Administrator. To enable DEP, perform the following steps:
In Internet Explorer, click Tools, click Internet Options, and then click Advanced.
Click Enable memory protection to help mitigate online attacks.
Impact of Workaround: Some browser extensions may not be compatible with DEP and may exit unexpectedly. If this occurs, you can disable the add-on, or revert the DEP setting using the Internet Control Panel. This is also accessible using the System Control panel,
JRE crashes IE 7 if you enable DEP in IE 7 so this workaround isn’t very practicle. Using Protected Mode also helps to mitigate the attack as mentioned in the article polonus linked to above.