Welcome to WebmasterWorld Guest from 107.22.87.205

Forum Moderators: incrediBILL

Message Too Old, No Replies

New IE Attack Expected - Pre-Patch Workaround Issued

     
5:40 am on Aug 19, 2005 (gmt 0)

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member




Looks like a big storm is aiming straight for Internet Explorer, and Microsoft is scrambling to help users protect their systems.

Microsoft late Thursday issued an advisory with pre-patch workarounds to counter the public release of a zero-day exploit targeting users of its Internet Explorer browser...

There is no patch available for the vulnerability and, because exploit code has already been released, incident handlers at the SANS ISC (Internet Storm Center) believe a widespread attack is very likely...

In the absence of a patch, the company has published detailed workarounds and mitigation guidance [microsoft.com] to help block known attack vectors.

[url=http://www.eweek.com/article2/0,1759,1849948,00.asp?kc=EWRSS03129TX1K0000610]eWeek Article

6:20 pm on Aug 20, 2005 (gmt 0)

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member



So, you can have a UNIX environment without a case-sensitive file-system if you so choose.

Yes, I saw a unix clone (Xenix maybe) demonstrated many years ago without case-sensitive filenames, but the fact remains, these OS designers think case-sensitivity is a good thing, and, most certainly, it is not.

</offtopic>

Kaled.

9:40 pm on Aug 20, 2005 (gmt 0)



This is the drop. I now officially (finally) changed to firefox. Just migrated my bookmarks, so I'm set.

bye IE :)

11:37 pm on Aug 20, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



bye IE

Microsoft wouldn't make it that easy, for starters windows update will only work with IE. A few places like legal movie streaming sites won't work with anything but IE either (DRM). That and the unskilled developers, including many government sites, that won't render properly unless you use IE.

My suggestion is to install the 'IE View' extension for firefox. That way if you run across one of these defunct sites you can still view the page in IE.

2:57 am on Aug 21, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



That and the unskilled developers, including many government sites, that won't render properly unless you use IE.

[slightly OT]
Y'know, I hear this a lot, but in more than a year of using Firefox/Opera exclusively (and mostly using Mozilla based browsers for some months before that) for all internet browsing, banking and shopping, I have yet to encounter one of these works-only-in-IE sites.

I don't doubt that they're out there, but I'm just not seeing them. Anyone want to sticky me a few examples?
[/slightly OT]

-B

3:43 am on Aug 21, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Official Washington State tourism website, it's a good example so I hope it's not against TOS.

[experiencewashington.com...]

4:04 am on Aug 21, 2005 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Herenvardo,

Yeah, you're right. I think it's just that the registry is *so complicated* that users can't be trusted; They might click on the .reg file wrong... You know, click too hard and knock the bits loose or something.

FixIE-MSddsDLL.reg:

REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}]
"Compatibility Flags" = dword:00000400


The above code may wrap on small screens; The [] characters and everything within them must all be on one line or bad things may happen. Include three blank lines as shown. Use at your own risk. Create a restore point before proceeding, yadda, yadda.

Ref:
[microsoft.com...]
[support.microsoft.com...]

MS seems to enjoy making things harder than they need to be...

Jim

8:07 pm on Aug 21, 2005 (gmt 0)

10+ Year Member



Does no one read anymore? or do we just see red at any post that says "IE Flaw".

How many of you out there are using VS 2002 without a service pack?

I'd guess, almost none.

This is barely even newsworthy.

Mitigating Factors:

The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in Windows.

The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in the .NET Framework.

Customers who do not have Msdds.dll on their systems are not affected by this vulnerability.

The affected versions of Msdds.dll are 7.0.9064.9112 and 7.0.9446.0. Customers who have Msdds.dll with version 7.0.9955.0, 7.10.3077.0, or higher on their systems are not affected by this vulnerability.

Customers who use Microsoft Office 2003 are not affected by this vulnerability.

Customers who use Microsoft Access 2003 are not affected by this vulnerability.

Customers who use Microsoft Office XP Service Pack 3 are not by default affected by this vulnerability. See Frequently Asked Question I am running Microsoft Office XP Service Pack 3, am I affected by this vulnerability? for additional details.

Customers who use Microsoft Access 2002 Service Pack 3 are not by default affected by this vulnerability. See Frequently Asked Question I am running Microsoft Office XP Service Pack 3, am I affected by this vulnerability? for additional details.

Customers who use Microsoft Visual Studio 2003 are not affected by this vulnerability.

Customers who use Microsoft Visual Studio 2002 Service Pack 1 are not affected by this vulnerability.

11:43 pm on Aug 21, 2005 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



MS shills come and go ..the fact remains the OS is flaky..and the customer service for the non Engish language OS users is non existant ..
12:29 am on Aug 22, 2005 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



And that MS currently has 4 ..yes 4 ..known ..( to themselves holes in the OS that can be exploited ..see their own security section ) plus this one ..and not one of their patches works on other than English versions of the affected OS's ( but they send all other language users to the English language patches anyway for the downloads of the supposed cures )..."run em and weep!"

ps ..580kb ( each current Eng patch size..c'mon!) is damn near the size of an OS ..not a patch )...code bloat or obfuscation ..as jim says / hints ..

<google "shaddock">

Open message to ..Redmond ..Why not just mark " please do not use regedit ..the .dlls are not to tightly attached"..?

I'll lay money that within 5/10 years max only the PRO version of the "doze of the moment" will be shipped with regedit ( or it's successor ) enabled ..

The rest will say something like "please refer to microsoft agreed service center for all problems with your system no user servicable components inside" or " ya didn't enable auto update ..so sit on it!" ..with of course the smiley ..and using the MS text to speech engine in "mary in space" mode..

12:33 am on Aug 22, 2005 (gmt 0)

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




...but in more than a year of using Firefox/Opera exclusively... I have yet to encounter one of these works-only-in-IE sites.

Try [windowsupdate.microsoft.com...]

This 40 message thread spans 2 pages: 40
 

Featured Threads

Hot Threads This Week

Hot Threads This Month