Update for fixing IE vulnerability

[ciphergoth]

Fab fab fab fab party. Fab. Ta muchly.

Update thanks to the ever-alert deliberateblank.

Microsoft have released a fix to the critical vulnerability I discussed earlier. However, it appears that this fix doesn't actually plug the vulnerability. It's probably still worth keeping your box up-to-date with Windows Update, but it won't protect you against this attack.

I still recommend that you either use Mozilla Firefox or another alternative to IE. If for some reason this is not an option, don't use IE to browse the wider Web.

Comments

[conwow.livejournal.com]

I have indeed got the wrong end of the stick, the permutation of the 'shell:' URI handler vulnerability is evidently not the one you are talking about, rather the "Location:" local resource access vulnerability. The previous vulnerability in IE 6 is indeed not patched, however there are reports that alterations have been made to SP2 prevents exploitation by denying access. This all goes to show the Microsoft's ineptitude in auditing code and designing systems securely and yet they STILL seem convinced that the only responsibility they have towards their customer's security while using their products is the offering of half a million dollar rewards for various worm authors.

I feel the difference between Internet Explorer and Mozilla/Firefox runs far deeper than the exploit to patch response time, it lies in the fact they have concise and open discussions about the design of their products, audit their code thoroughly and document the protocols they use for design and auditing thoroughly. This general openness that is systemic to gnu/open source movement does not allow the shoddy code and design to exist (anymore at any rate - the BIND/WU-FTPd/Sendmail debate is a dull one so lets not have it) in the various popular products - Qmail, vsftpd, FreeBSD and OpenBSD all being good examples of this.

"who am i?" an innocent bystander..