Microsoft Plugs IE; Warns All Browsers At Risk (Test Your Browser Here)

TechWeb ^ | July 2, 2004 | Gregg Keizer

[pctech]

Dang it man, I downloaded the patch from Microsoft last night myself and I still failed the test. I think I'll download Firefox and see what happens.

[7.62 x 51mm]

I think you're right; the menus aren't as deep and detailed as IEs or MSs usual offerings. But the GUI is so nice and the v7.1 is as fast or faster than IE, at least on my machines.

Thanks again for the assist of IE, g_r.

[general_re]

On the plus side, the fact that Moz 1.7 and Firefox 0.9 aren't affected tells me that the fix is already in the Mozilla codebase somewhere, so I expect that Netscape should - emphasis on should - be able to produce a patch for this fairly quickly.

[general_re]

Oh, yeah - you're welcome ;)

[js1138]

My new SBC/Yahoo DSL downloaded the updates/patches in seconds. Then my computer installed them in about a minute. I shut down and restarted my computer to come back to Free Republic. All was done in less than 3 minutes.

Run the test again in post #1. You may need to manually set the security option outlined in post 1.

[neutrino]

My IE 6 passed...I don't know why yours didn't.

[js1138]

I did the upgrade, Critical Update for ADODB.stream (KB870669) shut down my computer, restarted it and I am still was still vulnerable. Was that wrong upgrade?

Do this manually:

Internet Explorer users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.

[Principled]

why didn't MS just fix it this way???

[js1138]

why didn't MS just fix it this way???

It's a useful option. You might as well ask why you should buy an expensive car, since it only attracts thieves. Please not that the problem includes all versions of Netscape and Opera. At one time the internet community thought this was a useful and desirable feature. So now it attracts evildoers, and we are supposed to blame the victims?

[Principled]

No complaints here! I'm just wondering hy they don't tell MSIE users to use this feature instead of devising some patch...

[js1138]

I installed the upgrade on two home machines. on one the setting changed automatically. On the other I had to set it manually. To be fair. the second machine has never been quite right since it was overrun by viruses last year. (I wasn't using a scanner, and my wife belongs to lots of newsgroups.) There may also be more to the patch than I know about.

[Action-America]

You are actually calling us cretins because we buy Macintoshes???

I wouldn't worry too much about what Bush2000 says. Nobody else does.

I think that he (she) either works for Microsoft or is one of those MSXX certification types who hasn't figured out that he (she) owes his (her) livelihood to the fact that Microsoft produces garbage software. Either way, it severely damages his (her) credibility on such issues.

I have made a very good living for quite a number of years, largely due to the fact that Microsoft has created such a huge market for people like me to come in and fix problems that would have never occurred in software produced by a good software company. For that reason, I really like Microsoft. If they were to start making good software, a lot of people like me would have to start actually working for a living.

But, it's because my time is so valuable and I therefore don't have time to fight Microsoft problems on my own computer, that I use Macs, for my own business and home computing. After all, every hour that I might have to spend fixing problems on my own computer, would be an hour that I couldn't bill to a client. I'm not trying to get people to switch to Macs. I will, however, admit to the vice of having a bit of pride, in being one of the relatively few people who has the sense to recognize a superior computing platform, in spite of the massive propaganda from Microsoft.

I just let what Bush2000 says, roll off my back, since he (she) is obviously a Microsoft bigot (for whatever reasons) and probably just feels a natural desire to preserve his (her) pride by slamming those who he (she) realizes, know that his (her) pride has no real foundation, in fact. I can't really blame him (her) for doing something that I might well do, if I had bought into the Microsoft propaganda and were stuck using a WinTel box.

 

[Future Useless Eater]

(121)>>Dang it man, I downloaded the patch from Microsoft last night myself and I still failed the test. I think I'll download Firefox and see what happens.

I think the ADODB patch, and the FRAMES vulnerability are two separate things. You can't use the 'frames test' shown here to test if the ADODB patch was successful. The later is very difficult to test, and security experts says it is ineffective.

(115)>>NS v7.1? It doesn't seem to have all those options at either Tools or Edit > Preferences, as IE does.

In all the Netscape spinoffs, Firefox/Mozilla etc, when you can't find a user interface to change some option, try entering the URL   about:config
THAT will give you a long list of options you can 'tweak'. Do a google search, and read up on anything there that looks interesting before you change any options.

(114)>>Got a link for an update site?

Try clicking the icon at the bottom of post 67.

(128)>>why didn't MS just fix it this way???

In my opinion, MS has cared more for internet-commerce concerns, than for privacy/security concerns. Almost all the security problems that a (Windows/I.E.) combination has, are NOT an issue with a (Windows/non-Microsoft browser) combination. And the modifying of other people's web content by tricking 'frames' has almost always been associated with evil-doers. There wre even some lawsuits that were supposed to plug that practice, but it seems they failed to correct it at microsoft.

It seems that Netscape 4.77 (circa 1999) did NOT have the frames vulnerability and that matches my recollection of how frames worked back then. But when IE came out with the OPPOSITE settings as a default, some of the other (newer) browsers apparently felt they had to follow suit or else they wouldn't be compatible with greenhorn website developers that ONLY developed and tested things with an IE browser.

[Friend of thunder]

users can stymie such spoofing attacks by disabling the “Navigate sub-frames across different domains” setting under Tools/Internet Options/Security.

Thank you! That works.

I assume there times that I would want that this enabled or is this (the ability to navigate sub-frames across different domains) something that, while useful, is too easily exploitable by evildoers?

[Action-America]

Principled, here is the link to the Firefox 0.9.1 download.

http://texturizer.net/firefox/download.html

Firefox is what used to be Firebird, but they ran into another trademark problem and had to change the name again. Before Firebird, it was Phoenix. But, under any name, it has always been a very good browser. The release of 0.8 and the more recent 0.9.1 marks the move from being a very good browser, to a really fine browser.

 

[js1138]

Apparently this "feature" was a bad idea and should be disabled by default.

[supercat]

Of course, this doesn't mean that I don't think that Microsoft are a bunch of greedy incompetents.

By my understanding, a lot of DRM these days is predicated upon the ability to embed code within a protected digital content file; under Microsoft's Palladium architecture, such embedded code would be encrypted (most likely with a one-way encryption algorithm so that companies could encrypt code that would run on others' machines without being able to decrypt others' code). Does anyone know if this is how things would work?

If so, can anyone spell "virus heaven"?

[Bush2000]

You are actually calling us cretins because we buy Macintoshes???

Do you always reply to posts that are addressed to other people as if they'd been addressed to you personally? Just curious. Because I wasn't addressing you -- or soliciting your opinion.

[Bush2000]

But the latest versions of Mozilla & Firefox have this problem fixed; but Internet Explorer is still vunerable - I ran Windows Update 20 minutes ago, and IE still failed that security test.

You don't need a patch to fix this problem. Choose Tools | Internet Options | Security | Navigate Sub-Frames Across Different Domains | Disable. Takes 5 seconds. Done.

[Bush2000]

Hmmm, some of us cretins have been running the Mozilla strains for quite a while and haven't been affected.

Neither has any IE user. I'd like anyone to point out a single user who was directly attacked by this hack. Bottom line: Nobody was. The threat is theoretical only -- and requires you to traverse to a malicious website. Hackers can't force you to go there; consequently, the actual threat is near zero to the average user.