Update for fixing IE vulnerability

[ciphergoth]

Fab fab fab fab party. Fab. Ta muchly.

Update thanks to the ever-alert deliberateblank.

Microsoft have released a fix to the critical vulnerability I discussed earlier. However, it appears that this fix doesn't actually plug the vulnerability. It's probably still worth keeping your box up-to-date with Windows Update, but it won't protect you against this attack.

I still recommend that you either use Mozilla Firefox or another alternative to IE. If for some reason this is not an option, don't use IE to browse the wider Web.

Comments

[deliberateblank.livejournal.com]

El Reg claims the fix doesn't.

[ciphergoth.livejournal.com]

Updated - thanks!

[toripink.livejournal.com]

poor poppett! hope things are a bit better now *hugs*

[ciphergoth.livejournal.com]

This isn't a problem for me - I hardly use Windows. But if you use Windows, it may be a problem for you. Check my previous post about it...

*poppets away...*

[thekumquat.livejournal.com]

I did have reasonable faith in out IT bods to keep out nasties (despite them giving us only IE to use), but today I got my first ever spam at work...

Looks like I'll just have to live with the vulnerability, seeing as hacking about to the extent needed to install other browsers would be classed as gross misconduct.

[booklectica]

Unrelatedly: is your email working now?

[ciphergoth.livejournal.com]

No, still haven't made time to fix it. LJ email still works though.

[pavlos.livejournal.com]

I laugh at the continued misfortunes of Windows users. Well, actually my mac does have IE installed somewhere and I pray it never gets activated by mistake (although MacOS has a nice feature where it alerts you if a program gets used for the first time).

In case you wonder what would happen if Microsoft did fix their software, see here. I quote:

Microsoft's last major delay of Windows XP Service Pack 2 was caused by a hue and cry from enterprise evaluators about largely invisible new security measures, especially those in Internet Explorer that affect Web applications. [...] Mainstream Web sites that employ unsigned ActiveX applets, downloads, pop-up windows, browser helper objects, and other code- or scripting-based functions may encounter difficulty with SP2 version IE 6.

Sigh...

[pavlos.livejournal.com]

Work just mandated firefox :-)

[ciphergoth.livejournal.com]

Rah!

Though I would have thought at your workplace you could afford to let people run whatever they want so long as it isn't IE...

[pavlos.livejournal.com]

Yeah, they do, effectively. They banned IE and now support Firefox.

[conwow.livejournal.com]

The vulnerability which has been widely reported as effecting only Internet Explorer, whereby the browser doesn't restrict access to the shell: URI handler also effects a number of other products, including Firefox, Mozzila and Mozilla Thunderbird. See the official advisory from Mozilla here (http://www.mozilla.org/security/shell.html). The problem is an inherent security flaw that exists in later versions of Windows rather than a problem with the browser, the various patches that were released by Microsoft for Internet Explorer merely filtered sites from accessing this, rather than removing the flaw hence it was still exploitable even with the patch installed.

[ciphergoth.livejournal.com]

You have slightly the wrong end of the stick - the vulnerability in IE is not the "shell:" vulnerability of which you speak. The problem is that when Mozilla or Firefox encounter a URL scheme they don't recognise, they hand it off to the operating system, and in Windows the "shell:" scheme gives you an easy break.

The big difference between Mozilla/Firefox and IE here is that there are already patches and fixed releases for this bug available (which I'll announce here in a later post), while IE wasn't fixed for yonks after the vulnerability was announced, and by some reports still isn't.

By the way, who are you?

[conwow.livejournal.com]

I have indeed got the wrong end of the stick, the permutation of the 'shell:' URI handler vulnerability is evidently not the one you are talking about, rather the "Location:" local resource access vulnerability. The previous vulnerability in IE 6 is indeed not patched, however there are reports that alterations have been made to SP2 prevents exploitation by denying access. This all goes to show the Microsoft's ineptitude in auditing code and designing systems securely and yet they STILL seem convinced that the only responsibility they have towards their customer's security while using their products is the offering of half a million dollar rewards for various worm authors.

I feel the difference between Internet Explorer and Mozilla/Firefox runs far deeper than the exploit to patch response time, it lies in the fact they have concise and open discussions about the design of their products, audit their code thoroughly and document the protocols they use for design and auditing thoroughly. This general openness that is systemic to gnu/open source movement does not allow the shoddy code and design to exist (anymore at any rate - the BIND/WU-FTPd/Sendmail debate is a dull one so lets not have it) in the various popular products - Qmail, vsftpd, FreeBSD and OpenBSD all being good examples of this.

"who am i?" an innocent bystander..