Thanks for the heads up Brett.

Brett:

Thanks- would not have seen this anywhere else for a while!

dave

That's a scary announcement - basically every windows computer can be affected. Better get the duct tape and plastic sheeting too.

Don't go nuts. Sure there aren't any nefarious lines of code in the patch? Big change in licensing attitudes at M$ these days. Backdoor indeed!

From the MS bulletin:

- Computers configured to disable active scripting in Internet Explorer are not susceptible to this issue.

- Microsoft tested W98, W98SE, Me, NT 4.0, NT 4.0 TSE, 2000, and XP. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

- This is a buffer overrun vulnerability. The vulnerability is caused by a heap overflow in the Windows Script Engine for the JScript scripting language, JScript.dll.

So disable active scripting - you shouldn't have it running anyway - and rein in Active X.

See the update site at the link in Brett's post for details on disabling.

And beware Greeks bearing gifts.

T

That is right, you should alos make sure scripting host is disabled in Outlook.

Common sense really - why would anyone want to give people the right to run scripts on thier computer?

Is it me, or is almost every MS vunerability a buffer overrun?

Don't they read the MSDN?
Writing Secure Code [msdn.microsoft.com]

;)

Also, hello - this is my first post after lurking for some time.

Thank`s for letting us know Brett. We will start updating ASAP.

The problem is that much of Microsoft's code in the last 10 years has been written in C++, which encourages buffer overflow bugs. I would say that 99% of the security flaws in Microsoft's software can be attributed to two things:

1) Buffer overflows in various pieces of software.
2) Web browser enhancements that give the web browser too much power. Specifically the enhancements of JavaScript and ActiveX controls. Because Outlook and Outlook express allow HTML mail, that includes email.

If Microsoft had written their software in a better programming language (such as their new C#), there wouldn't be the buffer overflow problems.

If Microsoft had limited the power of ActiveX controls and disabled JavaScript and ActiveX controls in HTML mail, then that would have eliminated much of the rest.

Geez, seems like more than once a week now there's some kind of flaw in security with some MS app or OS that will allow people to execute programs on your computer, turn it into a zombie, or worse. Whatever happened to this whole security initiative MS was supposed to be making on securing their software?

No wonder other OS platforms are gaining ground.

Sounds to me like the real problem is one of permissions.

Why in the world does a browser need root on one's machine?

Even if they want to use the browser for root purposes,
Microsoft could score a lot of points by providing a
second, "safe surfing" browser that doesn't have root
powers on the machine. Think how they could spin that
"innovation"; heck they could even say "it's for the children".

One of the tips I picked up here is to go to the "start" button on bottom left of IE browser, and pick "Update Windows" there, it takes you straight to the page on M$ that you need.

This is a real wounder for me. Relatives needing updates on slow modem connections. Guess who will have to do it all. Oh yeah, I wont get paid!

I despair at the amount of time that I have to spend downloading "freaking" MS patches.

As an XP user I just love the fact that it has forced updates 7 days in a row now:)

Every morning my PC is rebooted for me after an XP update, one way to keep your memory clean......lmao!

I love MS...but this is getting a little out of hand. Can we have some QA please?

>Can we have some QA please?

Sorry, this is Microsoft. Now if you want a bulletproof CONTRACT, they've got the largest legal firm in the world. But it is not fair either to the Computer industry or to Microsoft to compare them with software development firms.

>Can we have some QA please?

Sure, as more people use it, more bugs are found, software is regulary upgraded to fix the bugs.

How else would you have it?

Without diving into a political discussion (PLEASE let's avoid it)

I have my doubts about this. You'll probably think I'm paranoid for thinking this but...

The reasons are:

1: Most security problems are discovered by an outside company, who reveals it to MS who usually drags their feet. It's incredibly unusual that a flaw of this magnitude was overlooked by all major security firms.

Think about it: We are being told to believe that a major OS hole has been undetected since 1998; that hackers and security firms totally missed this major security hole for over five years.

2: The company quoted as confirming the flaw, trusecure corporation, employs "an expert who helped design classified networks at the CIA"

3: This company is part of a National Security Council group whose goal is securing our computer infrastructure against cyberattacks-

4: In the weeks prior to this, I've been experiencing an unusual amount of IE crashes, regardless of version or computer, with an unusual pop-up asking if I want to send a notice to MS, which made me think that it was engineered.

5: If one were to insert code capable of monitoring computers/information, this is the way to do it.

6: If MS wanted a break from the Justice Department, this is the way to get it.

I sincerely have my doubts about this security flaw.

For many, many years doctors were convinced that ulcers were caused by stress.

It was only recently discovered that ulcers are a bacterial infection.

Sometimes we forget to look at the trees while we look at the forest. As we stand on the mountain top we're puzzled as to the spectacular view that was supposed to be there. All we see are more mountains and trees and a river below.

I'm with you martinibuster.

And what better opportunity for a knee-jerk installation than during days of high-anxiety?

There's something fishy about this.

txbakers > Don't bogart that joint... ;-)

T

I love MS...

You can get help for that.. ;)

This is a real wounder for me. Relatives needing updates on slow modem connections.

Consider yourself lucky, the whole town's calling me, and when i run the update scan turns out not one of them (so far) has updated since the day they bought their computers.
And, being a rural town, our ISP loves to drop off at will.

Hey Toadhall...quit hogging!
~~=====