Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

MS releases mother of all IE security patches
The Register ^ | 14/12/2001 at 13:10 GMT | John Leyden

Posted on 12/14/2001 2:43:15 PM PST by grimalkin

Microsoft has released a cumulative patch for Internet Explorer which the firm says is a "critical" security precaution against crackers which should be applied "immediately".

Installation of the mother of all patches "eliminates all previously discussed security vulnerabilities affecting IE 5.5 and IE 6" as well as tackling three newly discovered vulnerabilities, according to a security alert from Microsoft.

The first, and by far the worst, vulnerability involves a flaw in the way IE 6 handles Content-Disposition and Content-Type header fields in an HTML.stream, which determine how a downloaded file is handled. The flaw means if an attacker altered the HTML header information in a certain way, it could be possible to make IE believe that an executable file was a different type of file, such as a text file that could be opened with minimal risk.

The vulnerability, which affects IE 6.0 only and not IE 5.5, means a cracker could create a Web page or HTML mail that, when opened, "would automatically run an executable on the user's system". It was discovered Jouko Pynnonen of Oy Online Solutions.

Next up is a less serious vulnerability which could allow a malicious Web site operator to open two browser windows, one in the web site's domain and the other on the user's local file system, and to pass information from the latter to the former. This means the owner of malware.com could read, but not change, local PC files of any surfer he manages to lure to his site. However he'd have to know the name and location of the file he was looking for, which must be something that can be viewed in a browser.

This vulnerability, which affects both IE 5.5 and 6.0, is a variant of the "Frame Domain Verification" bug.

Lastly there's a flaw related to the display of the names of downloaded files. It's been discovered that it might be possible for a cracker to misrepresent the name of the file in a dialogue box, which could be used to fool users into accepting unsafe file types. Again the bug affects both IE 5.5 and 6.0.


TOPICS: Miscellaneous; News/Current Events
KEYWORDS:

1 posted on 12/14/2001 2:43:15 PM PST by grimalkin
[ Post Reply | Private Reply | View Replies]

To: grimalkin
Does the patch install Netscape?

/john

2 posted on 12/14/2001 2:53:29 PM PST by JRandomFreeper
[ Post Reply | Private Reply | To 1 | View Replies]

To: kd5cts
Ya know, for all the bashing that Netscape takes, I gotta say that I like it better, if only for the fact that all the bad viruses are always directed at Outlook users.
3 posted on 12/14/2001 2:57:19 PM PST by brewcrew
[ Post Reply | Private Reply | To 2 | View Replies]

To: brewcrew
bump so I can download this patch at home later.
4 posted on 12/14/2001 3:03:24 PM PST by monkeyshine
[ Post Reply | Private Reply | To 3 | View Replies]

To: kd5cts
A flaw in the MS website directs concerned users to a Linux site.
5 posted on 12/14/2001 3:05:21 PM PST by Chemnitz
[ Post Reply | Private Reply | To 2 | View Replies]

To: brewcrew
I think you may be experiencing a false sense of security.
6 posted on 12/14/2001 3:17:14 PM PST by Clara Lou
[ Post Reply | Private Reply | To 3 | View Replies]

To: grimalkin
A user with a Macintosh running OS X doesn't need to worry about the latest flaw in Microsoft's operating system. Mac OS X is far superior to NT, 2000, or XP.
7 posted on 12/14/2001 3:48:02 PM PST by Astronaut
[ Post Reply | Private Reply | To 1 | View Replies]

To: Astronaut
You Speak The Truth!
8 posted on 12/14/2001 3:51:48 PM PST by cmsgop
[ Post Reply | Private Reply | To 7 | View Replies]

To: Astronaut
I love X!
Objective C programming has been a real challenage, but boy, oh, boy one you're past the learning curve, is it a nice environment! (I was never a NeXtie, but now I appreciate their way of thinking!)
Those who think that OSX is just UNIX with a pretty GUI know not what they speak (but that's frequently the case in some of these technical threads).
9 posted on 12/14/2001 3:57:53 PM PST by Utopia
[ Post Reply | Private Reply | To 7 | View Replies]

To: Astronaut
That's true, although if you run Microsoft stuff, you were vulnerable to the exploit before this one. Safest bet is to avoid Microsoft altogether, although I realize that's not always feasible.
10 posted on 12/14/2001 4:04:21 PM PST by B Knotts
[ Post Reply | Private Reply | To 7 | View Replies]

Comment #11 Removed by Moderator

To: Clara Lou
Well, so far, so good. Zone Alarm plus McAfee, and I just recently installed a router with a built-in hardware firewall (so I can dump Zone Alarm now). Haven't had a problem in 7 years.
12 posted on 12/14/2001 4:50:06 PM PST by brewcrew
[ Post Reply | Private Reply | To 6 | View Replies]

To: B Knotts
I avoid all Microsoft applications. I am posting this using OmniWeb 4.1, rather than IE for X.
13 posted on 12/14/2001 6:13:05 PM PST by Astronaut
[ Post Reply | Private Reply | To 10 | View Replies]

To: Astronaut
The only problem with OS X is you need a Mac to run it.
14 posted on 12/14/2001 7:11:27 PM PST by Duke Nukum
[ Post Reply | Private Reply | To 7 | View Replies]

To: All
Mozilla is coming along nicely. I'd recommend it as an excellent replacement for MSIE. Check it out at http://www.mozilla.org/. It's available for Windows and Linux (though I use the latter) and is very stable now.
15 posted on 12/15/2001 12:14:54 AM PST by ArmchairWarrior
[ Post Reply | Private Reply | To 14 | View Replies]

To: brewcrew
The credit needs to go to McAfee and ZoneAlarm, not Netscape. I use ZoneAlarm and an anti-virus with MS Outlook Express-- no problem whatsoever. (My pet peeve is that AOL took over Netscape, my preferred browser/email for years, and made it an inferior product. The last two versions of Netscape that I used froze up repeatedly at sites that give IE Explorer no trouble. The last good version of Netscape was 4.72, I think.)
16 posted on 12/15/2001 5:19:32 AM PST by Clara Lou
[ Post Reply | Private Reply | To 12 | View Replies]

To: Clara Lou
I should have been clearer - I won't touch the 6.x versions of Netscape with a 10-foot pole (or a Czech or a Swede, for that matter). Running 4.79, and you're most certainly right about Zone Alarm and McAfee. They alone are responsible for keeping my machines clean.
17 posted on 12/15/2001 6:08:27 AM PST by brewcrew
[ Post Reply | Private Reply | To 16 | View Replies]

To: grimalkin
bump
18 posted on 12/15/2001 6:18:19 AM PST by DeckTheHallsHolly
[ Post Reply | Private Reply | To 1 | View Replies]

Comment #19 Removed by Moderator

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson