IE Flaw Affects Windows XP SP2 Systems

InformationWeek ^

[Happy2BMe]

The "highly criticial" vulnerability affects Internet Explorer 5.01, 5.5, and 6 on fully patched PCs running either Windows XP SP1 or the newer SP2. By Gregg Keizer, TechWeb News
		Another flaw in Internet Explorer has been uncovered by Danish security firm Secunia, which said that the gaffe left all PC users open to attack, even those who had updated Windows XP with the massive Service Pack 2 upgrade. According to the alert that Secunia posted Thursday on its Web site, the vulnerability affects Internet Explorer 5.01, 5.5, and 6 on fully patched PCs running either Windows XP SP1 or the newer SP2. Microsoft just began sending Service Pack 2 to Windows XP Home users this week, and although the update has been touted as a major security upgrade, the Secunia alert isn't the first problem that SP2 has faced. Microsoft has already issued a fix for SP2 that addresses problems some VPN users have encountered. Grading the flaw "highly critical," Secunia says that proof-of-concept code has been published, and that the vulnerability--which stems from "insufficient validation of drag-and-drop events issued from the 'Internet' zone"--can be used by hackers to plant executable files in a Windows XP machine if the user is enticed to a malicious Web site. "Even though the proof-of-concept depends on the user performing a drag-and-drop event, it may potentially be rewritten to use a single click as user interaction instead," Secunia warns. It recommends either disabling Active Scripting within IE or using another browser until the problem is patched. This flaw, says Secunia, is a close cousin of one discovered by a Chinese security researcher last September; those bugs have since been squashed.

[Happy2BMe]

Crud. Just when you thought it was safe to surfe the web and after Microsoft spent umpteen millions rolling out XP SP2, the nightmare continues.

Pretty soon, we'll need another operating system to tack on to Windows just to monitor the spyware, trojans, adware, viruses, malware . . .

[Happy2BMe]

From Microsoft on their very first "patch" to the new (gigantic) XP SP2 "upgrade:"

_____________________________

Hotfix information

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows XP service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

[thoughtomator]

http://www.mozilla.org

Live it. Love it.

This message brought to you by a formerly-faithful IE user.

[FourtySeven]

Interesting.

[Happy2BMe]

What do you think of Opera?

FWIW: I just did an update check on the MS Server (after having installed XP SP2) and it returned no updates necessary (security or otherwise).

[thoughtomator]

I haven't used Opera so I have no opinion on it. I have heard good reviews from others, but no firsthand info.

[ProudVet77]

I've been a uSoft fan for quite a while. They've always had a decent price point (SQL vs Oracle for example). But I have to say that XP is a piece of junk. I'musing it as I type this, but I have to reboot about onece a day. Heap managment is still weak. On the other hand I find the serious stuff, 2003 server is actually very good. But I am ticked about this XP nonsense. Their fixes are often as bad as their problems.
I'm also ticked at them for MSNBC.

[applemac_g4]

There is no good reason to be using Internet Explorer in the modern world.

Everyone needs to go to http://www.mozilla.org and download Mozilla's latest browser.

[elmer fudd]

Yep. Been using Firefox for months now and have no intention of going back to IE. No popups, I can still use Java functions and once a week or so, when I scan for spyware, I only find one or two data miners. With IE I'd find dozens.

[savedbygrace]

I wish Mozilla would fix the problems with PDFs. Sometimes it seems the system has crashed, but if you wait long enough, everything comes back. Frustrating.

[Happy2BMe]

I spend half my time running at least three trojan and spybot TSRs and am getting tired of it.

I just upgraded my hardware to a 3.2 Prescott almost out of necessity to be able to run this piece of junk software fast enough to surf the web with all that crap running in the background.

And, I've got 1 gb of fast PC3200 SDRAM and still this thing runs like a i386 with the overhead.

Problem is, we're stuck with XP due to sofware developers being financilly strapped to it also in order to get the sales volumes they need to keep their doors open.

Longhorn won't fix it. It's going to get to the point where viruses and trojans are so prolific people won't have to worry about catching them while surfing because they won't be able to surf.

[Happy2BMe]

My only problem with using Netscape is I've got so much time invested in building my email database with Outlook that it would be a major undertaking to convert over to mozilla's SMTP.

[chronic_loser]

http://www.mozilla.org/products/firefox/


download it. use it. NOT subject to the security flaws of IE.

[ProudVet77]

One thing that might help you is to turn off the windows update feature. Also turn off all the silly quick start features. (right hand on task bar). They eat up memory and CPU for no really good reason.
If you have SDRAM (133MHz?) see if the box you have supports DDRAM. If you have the Prescott it should. Makes a huge difference.
Also a really good thing to do is buy a 2nd disk drive. (get an old/used) 20GB and use it for your page file, temporary internet files, email files etc. It really helps.
One of the flaws in the XP approach is they put everything on to one disk volume. Also try to run the disk defrag tool.
Find out what is wrong. Turn on you task manager and see if you are CPU or memory limited.
I'm usually a $100/hour for advice, but on Sundays I give it out for free. Contact me by freepmail if you'd like.

[Happy2BMe]

Thanks, and all good advice.

Sorry, I meant to say 1 gb of PC3200 Double Data RAM.

Turned off everything in the "AUTO" area in control panel and my computer.

hehe . . just getting worn out keepng up with a flawed operating system. I'm A+ cert with 21 yrs building pcs.

[ProudVet77]

What is causing the performace issue.
Try perfmon and see if you are paging a lot.
Also what is the cpu utilization and memory utilization.
My primary computer is down at the moment, and I'm using a piece of junk Acer with a < 1GHz processor and 128MB of 100MHz SDRAM, and the performance is reasonable.
Have you turned of system restore? It's pretty useless in my mind.

[upchuck]

FWIW, I've been using Opera for two years now. Currently running V7.54.

Small, fast, reliable, great popup blocker, nice customizable user features, etc. Overall, a winner.

I've also used Firefox V0.8. But I keep going back to Opera.

[upchuck]

It recommends either disabling Active Scripting within IE or using another browser until the problem is patched.

Isn't it amazing that all these other browser software developers are able to create browsers that don't have all the security holes of IE? Kinda makes ya wonder, don't it? :)

[upchuck]

Uhhh... I got a question... Does this security hole exist on machines running straight XP w/out any patches? You don't suppose SP2 introduced this problem do you? Could MSFT be that dumb? Naaaaa....

[Ernest_at_the_Beach]

I've also used Firefox V0.8. But I keep going back to Opera.

Firefox 9 (Using 9.3 ) is much improved....I prefer it over opera.