I don’t use IE7 — still use IE6. I wonder if the patch is applicable or needed for IE6? Anyone know?
“I don’t use IE7 — still use IE6. I wonder if the patch is applicable or needed for IE6? Anyone know?”
I think that they said that all are vulnerable, I already downloaded the patch so I switched back to IE from firefox.
Stealing a rant from someone else who explains it well: The controls that form Internet Explorer are a core system service in Windows. They are fundamental to the operation of all modern Windows versions. The Add/Remove Programs dialog in Windows 2000 and Windows XP? That's generated using the same controls that form Internet Explorer. I say "controls that form Internet Explorer" because IE isn't really a single application (like, say, Firefox or Opera), it's really a collection of libraries that can be called by top-level processes like the Explorer shell, Internet Explorer, the Add/Remove Programs dialog, or other applications. Probably the most important library is MSHTML.DLL, which more than anything else probably is Internet Explorer. These controls must be able to have full system access, or else they won't be able to do their job. They have to be able to spawn admin-level processes and write to local files and do other things that are "bad" from a security standpoint, because when these controls are used as part of the basic Windows UI, they have to be able to do these things as part of day-to-day operation. And so we have Security Zones. The Local Zone is where (by default) all of the "full access pass" stuff runs, the stuff that you see in the Explorer shell and other regular Windows UI bits (as well as HTML files and things that are sitting on your hard drive). Nothing from the Internet is supposed to run in the Local Zone. Everything that you view in Internet Explorer goes in the Internet Zone, the Local Intranet Zone, the Trusted Sites Zone, or the Restricted Sites Zone. You can set the security parameters on those four zones in the Security tab of the Internet Options in IE. Most of these security exploits you see in Internet Explorer are called "cross-zone scripting exploits". What they do (usually) is find a way to use scripting to open a Local Zone resource (such as a help file), and then somehow alter it so that it contains malicious code instead. This is how the Ilookup trojan works. Other exploits escalate the security level of an iframe to Local Zone, or some other tactic. But the general idea is getting malicious code into the Local Zone without your permission, where it can be executed with full system access. This is why locking down the Local Zone is a workaround against these sorts of exploits, but locking down the Local Zone has serious side effects in Windows itself. The difference between Internet Explorer and other browsers is that the other browsers simply do not have this sort of problem. Mozilla and Opera do not have the requirement to manage operating-system level tasks using the same controls they use to render web pages, and so do not even have a "Local Zone" to take advantage of. They are not designed to let scripts do bad things at all. There are still exploits that can be performed on browsers like Opera and Mozilla. Directory traversals, buffer overflows, taking advantage of design defects... Hell, have a look at the stuff Opera's had to fix in version 7 so far. (I think the "really big favicon" exploit is my favorite.) And you can find cross-site scripting vulnerabilities in Mozilla, but they don't let you install software; they just cause data security problems because one site might be able to read another site's JavaScript variables or cookies or something. But IE's fundamental security model makes it incredibly vulnerable to exploits that allow the arbitrary installation of software, or worse. And that's why IE is more fundamentally insecure than the alternatives, and until something is fundamentally changed about it (which may or may not happen with XP SP2), it's going to remain more fundamentally insecure regardless of popularity levels.