CVE-2007-3576

Name of the Vulnerable Software and Affected Versions Microsoft Internet Explorer 6

Description The issue allows remote attackers to bypass certain XSS protection schemes by executing web script from URIs of arbitrary scheme names ending with the "script" character sequence. This is done using the (1) vbscript: handler for scheme names with 7 through 9 characters, and the (2) javascript: handler for scheme names with 10 or more characters. However, other researchers dispute the significance of this issue, stating it only works when typed in the address bar.

Recommendations For Microsoft Internet Explorer 6, consider disabling the execution of scripts from arbitrary scheme names to minimize the risk of exploitation. As a temporary workaround, restrict the use of the vbscript: and javascript: handlers for scheme names with specific character lengths until a patch is available.