Log in

No account? Create an account
Lord Yupa

February 2010

Powered by LiveJournal.com
Danger Mouse

Serious Internet Explorer (and Outlook) Security Bug.

There's a major security problem with Internet Explorer 5.01 and 5.5. Here's the initial write up I saw:
Visit an attacker's webpage using Microsoft's browser on Microsoft's operating system, and the attacker can execute arbitrary code on your system with your full privileges. Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading e-mail from an attacker (opening attachments not necessary) also gives them full access to your machine. MSIE 5.5 is vulnerable, and MSIE 5.01 is vulnerable unless you've installed Internet Explorer 5.01 Service Pack 2.

You can get full details from Microsoft, as well as a patch to fix this, here.

Basically, if you have Internet Explorer 5.01 or 5.5 installed, you need to do this as soon as possible, or risk nasty problems.

Thanks to Slashdot for the posting and to Kriptopolis for discovering this bug.


Re: Erm. . .

Disabling scripting was just an example of one thing that can be done to prevent malicious code from killing your system.

In the case of this vulnerability, they listed this as a way to block it:
The vulnerability could not be exploited if File Downloads have been disabled in the Security Zone in which the e-mail is rendered. This is not a default setting in any zone, however.
Not that I don't agree that installing the update is a Good Thing, just that I felt a need to point out that some precautions will do the trick without that being done.

And in this case, disabling File Downloads in your OE security zone would be the trick in question.

Re: Erm. . .

I'm not an Outlook user at all, so I can't comment for sure, but the understanding I had was that disabling file downloads would only protect you from exploitation via web page, not via malicious e-mail.

Additionally, looking back over it, I apologise if my response earlier seemed unfairly harsh. I had to deal with some fool at work who spent an hour trying to tell me that this whole thing was just another reincarnation of the "Good Times" hoax, and that put me in a rather bad mood about the whole thing.

As bad as people spreading virus hoaxes are, having legitimate problems get ignored due to someone's ignorance was really frustrating.

Of course, when the "official" company-wide warning came out a few hours later, he finally admitted that there *might* be *some* validity to it. ;-)