Posted on 01/10/2005 11:13:42 AM PST by Ernest_at_the_Beach
The Register » Security » Network Security »
Original URL: http://www.theregister.co.uk/2005/01/10/ie_sp2_exploit/
Code which exploits a vulnerability in the HTML Help control of Internet Explorer has been released onto the net. Secunia has upgraded the vulnerability (http://secunia.com/SA12889), uncovered in October 2004, to "extremely critical". Even users who have upgraded to Windows XP SP2 with all available patches are affected, the security reporting firm warns.
"The vulnerability can be exploited by malicious people to place and execute arbitrary programs on a client system if a user visits a malicious website. It doesn't require user interaction," Thomas Kristensen, CTO, told El Reg.
"The vulnerability was originally discussed as the Drag'n'Drop vulnerability back in October 2004. The new development only utilises flaws in the HTML Help control. Users can only protect themselves by disabling ActiveX support or using another product."
Secunia has published an online test for the vulnerability here (http://secunia.com/internet_explorer_command_execution_vulnerability_test). ®
Mozilla and Firefox flaws exposed (http://www.theregister.co.uk/2005/01/07/mozilla_flaws/)
MS quashes infamous Bofra bug (http://www.theregister.co.uk/2004/12/02/ie_iframe_fix/)
IE exploits top web security threat list (http://www.theregister.co.uk/2004/11/02/web_security_survey_scansafe/)
Security holes that run deep (http://www.theregister.co.uk/2004/12/21/simple_aspnet_security_hole/)
No end to the problems.
This is really getting old.
It's starting to remind me of the early snowmobiles we had in the '60s. They took 3 or more hours of maintenance for every hour you could run them.
I really wish that these people would realize just how stupid it is to use IE these days.
I can't imagine why anyone would. It's like knowingly choosing to park a car in a high crime area and leaving your doors unlocked.
That's for sure.
There are a number of Freepers who had never heard of Mozilla, Firefox, or Opera until they saw them mentioned in a thread.
I can't blame people who aren't always able (or even savvy enough) to keep on the the latest tech news. Many people, through no fault of their own, are simply not aware that using MSIE is like playing Russian Roulette.
It's not a bug or flaw, it's a feature or issue.
/s/ Microsoft PR Dept.
Exploit code attacks unpatched IE bug
UPDATE: I ran the vulnerability test on my Windows XP SP2 machine at work and it was vulnerable. I then checked Windows Update for a patch and nothing new was available. The only patch that I can think of is available here.
Interesting. I went to the linked article and tried to access the Secunia test, but my computer refused to load that page. Evidently something is blocking it.
I have a lot of gear on board, and possibly one of my AV or antispyware programs is blocking that site.
A demonstration of the vulnerability is available for users running Internet Explorer 6 with Windows XP SP2 installed.
And:
The test requires that you have Windows installed in "c:/windows/".
Internet Explorer Command Execution Vulnerability Test
Test is just under :
Test Your System
Does Norton AV protect against this?
I really wish that these people would realize just how stupid it is to use WINDOWS these days.
Shalom.
Excerpt --
Until a patch is available, IE users should consider switching browsers, said Secunia, or disabling the "Drag and Drop or copy and paste files option in Internet Explorer. Microsoft has posted a document on its support site that explains the process.
http://support.microsoft.com/kb/888534
_______________________________________________________
Take a glance at the Microsoft temporary solution and decide, "Do I want to try this Microsoft temp patch or just download/install Firefox?"
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.