Update for fixing IE vulnerability

[ciphergoth]

Fab fab fab fab party. Fab. Ta muchly.

Update thanks to the ever-alert deliberateblank.

Microsoft have released a fix to the critical vulnerability I discussed earlier. However, it appears that this fix doesn't actually plug the vulnerability. It's probably still worth keeping your box up-to-date with Windows Update, but it won't protect you against this attack.

I still recommend that you either use Mozilla Firefox or another alternative to IE. If for some reason this is not an option, don't use IE to browse the wider Web.

Comments

[conwow.livejournal.com]

The vulnerability which has been widely reported as effecting only Internet Explorer, whereby the browser doesn't restrict access to the shell: URI handler also effects a number of other products, including Firefox, Mozzila and Mozilla Thunderbird. See the official advisory from Mozilla here (http://www.mozilla.org/security/shell.html). The problem is an inherent security flaw that exists in later versions of Windows rather than a problem with the browser, the various patches that were released by Microsoft for Internet Explorer merely filtered sites from accessing this, rather than removing the flaw hence it was still exploitable even with the patch installed.

[ciphergoth.livejournal.com]

You have slightly the wrong end of the stick - the vulnerability in IE is not the "shell:" vulnerability of which you speak. The problem is that when Mozilla or Firefox encounter a URL scheme they don't recognise, they hand it off to the operating system, and in Windows the "shell:" scheme gives you an easy break.

The big difference between Mozilla/Firefox and IE here is that there are already patches and fixed releases for this bug available (which I'll announce here in a later post), while IE wasn't fixed for yonks after the vulnerability was announced, and by some reports still isn't.

By the way, who are you?

[conwow.livejournal.com]

I have indeed got the wrong end of the stick, the permutation of the 'shell:' URI handler vulnerability is evidently not the one you are talking about, rather the "Location:" local resource access vulnerability. The previous vulnerability in IE 6 is indeed not patched, however there are reports that alterations have been made to SP2 prevents exploitation by denying access. This all goes to show the Microsoft's ineptitude in auditing code and designing systems securely and yet they STILL seem convinced that the only responsibility they have towards their customer's security while using their products is the offering of half a million dollar rewards for various worm authors.

I feel the difference between Internet Explorer and Mozilla/Firefox runs far deeper than the exploit to patch response time, it lies in the fact they have concise and open discussions about the design of their products, audit their code thoroughly and document the protocols they use for design and auditing thoroughly. This general openness that is systemic to gnu/open source movement does not allow the shoddy code and design to exist (anymore at any rate - the BIND/WU-FTPd/Sendmail debate is a dull one so lets not have it) in the various popular products - Qmail, vsftpd, FreeBSD and OpenBSD all being good examples of this.

"who am i?" an innocent bystander..