Microsoft Plugs IE; Warns All Browsers At Risk (Test Your Browser Here)

TechWeb ^ | July 2, 2004 | Gregg Keizer

[Ernest_at_the_Beach]

I think it does work though in Firefox 8 on Linux...

[Ernest_at_the_Beach]

Just tested again, looks like Firefox .8 has the problem running on Linux.

[AnimalLover]

Thanks for posting this important information. I have just finished installing a crital patch from Microsoft.

Here's hoping!

[freedom moose]

i have a MAC and use Safari. It failed the test. I guess there'll be an update soon. Anyone have any suggestions on what to do in the meantime?

[freedom moose]

While Secunia DID successfully inject its content onto the page, the return to the page did not replicate that injection
i guess that's what happened to me too then. so maybe i don't have to worry. please explain what replicating the injection means. thanks

[DreadCthulhu]

Firefox is available for the Mac, and the latest version doesn't have this flaw. Try that for now. And the latest Windows Update DOES NOT fix this bug in IE. I just updated earlier & IE failed the test. Just a warning for people.

[Future Useless Eater]

The update, which Microsoft tagged as “Critical,” isn't a patch per se, but rather an change to Windows that disables the ADODB.Stream object

FYI, the Internet Storm Center tested this latest Microsoft/IE 'fix' and found it inadequate to stop hackers...

"...even after 'ADODB.Stream' is disabled, it is still possible to launch programs on the users system without user interaction."

A related suggestion was distributed by security experts this week that could ALSO be of interest. They reiterate an MS security note (Microsoft Knowledge Base Article 833633) concerning the "Local Machine zone"...

For those of you that don't mind tinkering under the hood" of your computer such as to tighten ALL the security settings in every zone with: Control Panel --> Internet Options --> Security
MS announced a FIFTH security zone NOT shown in that tool with suggestions of tightening things THERE as well...
The control panel tool shows only these four zones:

• Trusted sites
• Local intranet
• Internet
• Restricted sites

The 5th (even higher level) zone is known as "Local Machine zone", and the MS article suggested it may be helpful for the security conscious, in some cases to even strengthen some security settings there.

"a malicious user may try to take advantage of the power of the Local Machine zone to elevate their permissions and to run arbitrary code on your computer."

Those zone settings can only be tweaked using the registry editor (regedit), and the changes do the following for the Local Machine zone:

• Disables ActiveX Controls and plug-ins
• Disables Active scripting
• Disables data sources across domains
• Disables Java

If any of you say "you no longer use IE", be aware that a Windows computer STILL HAS SEVERAL OTHER programs that venture out on the internet and can be at risk (Windows Media Player) for example. Shutting off these vulnerabilities helps security in those OTHER programs as well.

With the latest sophistication of trojans, worms, and virus, I recommend tightening EVERY security zone (there is practically no such thing as a 'trusted site' anymore, and even the 'Local intranet' zone is commonly corrupted).
Then install a non-MS browser and emailer if you haven't already.

[Musket]

bump for later.

[Just mythoughts]

Thanks.

This never ends.

[backhoe]

Appreciate the info. I'm still cleaning garbage out of my machine.

[Byron_the_Aussie]

...if you read his thread, you'll be able to get rid of CoolWebSearch...

Thanks, champ. However I finally managed to get rid of it last week, with Spy Sweeper. I had a terrific dream, that night- I was the Ultimate Techie, hunting hackers on the Net, wrecking their homepages, terrorising their forums, posting accounts of my exploits on my blog. And- receiving millions in Paypal donations, from long-suffering IE users. :) Cheers, By

[TechJunkYard]

Netscape 4.77 under Red Hat 7.3 is NOT vulnerable.

[Dominic Harr]

I'm getting a little tired of their continual lies.

ooooh, it really burns you that Mozilla and Firefox have already fixed this "design flaw", doesn't it?

Bottom line -- once again, the open-source tool is safe while the proprietary one is not.

MS is to software what McDonalds is to food. You eat what you like, tho . . .

[ovrtaxt]

Using Mozilla 1.7. I passed, do I get a gold star?

[SeeRushToldU_So]

I am using FireFox. I switched a couple of weeks ago at the suggestoin of some Freepers.

So far I like it.

[1234]

Hey, what about Win 95 w/IE 5.5? TX

[Vinnie]

I'm in IE right now. Got an auto -update from MS yesterday.

IE failed the test.

Tried my usual browser, Mozilla 1.7. Passed

[B Knotts]

This is an odd article. It talks about the IE ADODB vulnerability, and then goes on to an entirely different implementation problem, shared by some other browsers, which is not as serious, in an apparent attempt to downplay the problems with IE.

Note to everyone: this is not the same as the big problem the other day.

[lainde]

BTTT

[Liberal Classic]

Swordmaker: Bush, it IS possible to comment on this without insulting anyone.

Bush2000: Stay out of it.

Too much coffee, Bob?

;)