Stephan Chenette of Websense describes a new Internet attack vector that could allow hackers to bypass anti-virus protection at both the gateway and the desktop. The technique, called script fragmentation, involves breaking down malware into smaller pieces in order to beat malware analysis engines.
The attack, which has not been seen in the wild by Websense, works on all the major browsers. Technically, however, it is not a browser vulnerability—it merely takes advantage of the way browsers work.
My initial thoughts: If this gets out into the wild, the only protection is to either turn off scripting entirely in Internet Explorer (which will cripple most legitimate websites), or use the excellent NoScript plugin for Firefox (and use it correctly.)