Skip to comments.
MS releases mother of all IE security patches
The Register ^
| 14/12/2001 at 13:10 GMT
| John Leyden
Posted on 12/14/2001 2:43:15 PM PST by grimalkin
Microsoft has released a cumulative patch for Internet Explorer which the firm says is a "critical" security precaution against crackers which should be applied "immediately".
Installation of the mother of all patches "eliminates all previously discussed security vulnerabilities affecting IE 5.5 and IE 6" as well as tackling three newly discovered vulnerabilities, according to a security alert from Microsoft.
The first, and by far the worst, vulnerability involves a flaw in the way IE 6 handles Content-Disposition and Content-Type header fields in an HTML.stream, which determine how a downloaded file is handled. The flaw means if an attacker altered the HTML header information in a certain way, it could be possible to make IE believe that an executable file was a different type of file, such as a text file that could be opened with minimal risk.
The vulnerability, which affects IE 6.0 only and not IE 5.5, means a cracker could create a Web page or HTML mail that, when opened, "would automatically run an executable on the user's system". It was discovered Jouko Pynnonen of Oy Online Solutions.
Next up is a less serious vulnerability which could allow a malicious Web site operator to open two browser windows, one in the web site's domain and the other on the user's local file system, and to pass information from the latter to the former. This means the owner of malware.com could read, but not change, local PC files of any surfer he manages to lure to his site. However he'd have to know the name and location of the file he was looking for, which must be something that can be viewed in a browser.
This vulnerability, which affects both IE 5.5 and 6.0, is a variant of the "Frame Domain Verification" bug.
Lastly there's a flaw related to the display of the names of downloaded files. It's been discovered that it might be possible for a cracker to misrepresent the name of the file in a dialogue box, which could be used to fool users into accepting unsafe file types. Again the bug affects both IE 5.5 and 6.0.
TOPICS: Miscellaneous; News/Current Events
KEYWORDS:
1
posted on
12/14/2001 2:43:15 PM PST
by
grimalkin
To: grimalkin
Does the patch install Netscape?
/john
To: kd5cts
Ya know, for all the bashing that Netscape takes, I gotta say that I like it better, if only for the fact that all the bad viruses are always directed at Outlook users.
3
posted on
12/14/2001 2:57:19 PM PST
by
brewcrew
To: brewcrew
bump so I can download this patch at home later.
To: kd5cts
A flaw in the MS website directs concerned users to a Linux site.
5
posted on
12/14/2001 3:05:21 PM PST
by
Chemnitz
To: brewcrew
I think you may be experiencing a false sense of security.
6
posted on
12/14/2001 3:17:14 PM PST
by
Clara Lou
To: grimalkin
A user with a Macintosh running OS X doesn't need to worry about the latest flaw in Microsoft's operating system. Mac OS X is far superior to NT, 2000, or XP.
7
posted on
12/14/2001 3:48:02 PM PST
by
Astronaut
To: Astronaut
You Speak The Truth!
8
posted on
12/14/2001 3:51:48 PM PST
by
cmsgop
To: Astronaut
I love X!
Objective C programming has been a real challenage, but boy, oh, boy one you're past the learning curve, is it a nice environment! (I was never a NeXtie, but now I appreciate their way of thinking!)
Those who think that OSX is just UNIX with a pretty GUI know not what they speak (but that's frequently the case in some of these technical threads).
9
posted on
12/14/2001 3:57:53 PM PST
by
Utopia
To: Astronaut
That's true, although if you run Microsoft stuff, you were vulnerable to the exploit before this one. Safest bet is to avoid Microsoft altogether, although I realize that's not always feasible.
10
posted on
12/14/2001 4:04:21 PM PST
by
B Knotts
Comment #11 Removed by Moderator
To: Clara Lou
Well, so far, so good. Zone Alarm plus McAfee, and I just recently installed a router with a built-in hardware firewall (so I can dump Zone Alarm now). Haven't had a problem in 7 years.
12
posted on
12/14/2001 4:50:06 PM PST
by
brewcrew
To: B Knotts
I avoid all Microsoft applications. I am posting this using OmniWeb 4.1, rather than IE for X.
To: Astronaut
The only problem with OS X is you need a Mac to run it.
To: All
Mozilla is coming along nicely. I'd recommend it as an excellent replacement for MSIE. Check it out at
http://www.mozilla.org/. It's available for Windows and Linux (though I use the latter) and is very stable now.
To: brewcrew
The credit needs to go to McAfee and ZoneAlarm, not Netscape. I use ZoneAlarm and an anti-virus with MS Outlook Express-- no problem whatsoever. (My pet peeve is that AOL took over Netscape, my preferred browser/email for years, and made it an inferior product. The last two versions of Netscape that I used froze up repeatedly at sites that give IE Explorer no trouble. The last good version of Netscape was 4.72, I think.)
To: Clara Lou
I should have been clearer - I won't touch the 6.x versions of Netscape with a 10-foot pole (or a Czech or a Swede, for that matter). Running 4.79, and you're most certainly right about Zone Alarm and McAfee. They alone are responsible for keeping my machines clean.
17
posted on
12/15/2001 6:08:27 AM PST
by
brewcrew
To: grimalkin
bump
Comment #19 Removed by Moderator
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson