SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Guru prequel's Avatar
    Join Date
    Nov 1999
    Location
    Brisbane, Australia
    Posts
    682
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    [Internet Explorer 5.5 & 6.0 security patch]!

    To all members using IE 5.50 and 6.0 browsers please read this http://news.cnet.com/news/0-1005-200...html?tag=cd_mh

    security patch can be downloaded and installed from here

    What vulnerabilities are eliminated by this patch?

    This patch, when installed, eliminates all known security vulnerabilities affecting Internet Explorer 5.5 and 6.0. In addition to eliminating all previously discussed vulnerabilities affecting these versions, it also eliminates three new ones.

    ============================================
    Installation platforms:
    - The IE 5.5 patch can be installed on IE 5.5 Service Pack 2.
    - The IE 6 patch can be installed on IE 6 Gold.

    Inclusion in future service packs:
    The fix for these issue will be included in IE 5.5 Service Pack 3, and IE 6 Service Pack 1.

    Reboot needed: Yes

    Verifying patch installation:

    - To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q312461 is listed in the Update Versions field.

    - To verify the individual files, use the patch manifest provided in Knowledge Base articles Q312461.
    ============================================

    If you can't update yet... Microsoft advises that you


    Microsoft is urging IE users to disable active scripting in the their browser settings. In addition, consumers using Outlook Express should set their preferences within the mail program to allow only "Restricted Sites" to load, according to the company.

    To disable active scripting in IE, open the Tools menu in the browser, followed by Internet Options and then the tab for Security. Next, open the Custom Level option; in the Settings box, scroll down to the Scripting section. Click Disable under "Active scripting" and "Scripting of Java applets." Click OK, and then click OK again.


    Explanation

    Microsoft has issued a patch almost a week after a vulnerability was revealed in Internet Explorer that would allow hackers to gain access to someone's cookies and expose the sensitive information they contain.

    The exploit was discovered last week and reported publicly rather than directly to Microsoft. At the time, the software giant advised customers to disable Active Scripting, to protect them from the Web-hosted and mail-borne variants of the vulnerability.

    Microsoft says the patch released Wednesday represents a fast turnaround by its security team.

    "The vulnerability was publicly disclosed by someone who discovered the vulnerability on Nov. 8, which was extremely irresponsible," said a Microsoft representative. "The immediate action that we took was to issue a work-around so that system administrators could protect themselves, and a patch was issued yesterday."

    The high-risk vulnerability in IE 5.5 and 6.0 allows malicious code to gain unauthorized access to the cookies that are used to customize and retain a site's setting for a customer across multiple sessions. Because some e-commerce Web sites use cookies to store sensitive information about consumers, it is possible that personal information could be exposed through the software hole.

    "It is a serious issue--people have always been worried about cookies, but have never considered that someone else could use the information from a Web site that they run," said Mark Read, security analyst at MIS Corporate Defence Solutions.

    The vulnerability came shortly after security flaws were found in Microsoft's Passport authentication system, causing the software maker to remove part of the service from the Internet. The privacy breach in Wallet, a Passport service that keeps track of data used by e-commerce sites, potentially exposed the financial data of thousands of consumers, undermining the company's recent efforts to convince people that it is serious about security.

    Read said he thinks it unlikely that the privacy policies of e-commerce sites will allow customer credit card details to be displayed as cookie information, but there is the potential for hackers to use the information to order goods online.

    Cookies are text files, saved on a computer hard drive as a unique reference for identifying individual customers. "There is no easy way to get around cookies, as there needs to be some way of placing a unique identifier on a computer to say 'this is me'--the only alternative is digital certificates," said Read.

  2. #2
    SitePoint Wizard
    Join Date
    Jul 2001
    Location
    The Netherlands
    Posts
    2,617
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks, downloading as we speak .

  3. #3
    What? Maelstrom's Avatar
    Join Date
    Oct 2001
    Location
    Whistler BC originally from Guelph Ontario
    Posts
    2,175
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you very much
    Maelstrom Personal - Apparition Visions
    Development - PhP || Mysql || Zend || Devshed
    Unix - FreeBSD || FreeBsdForums || Man Pages
    They made me a sitepoint Mentor - Feel free to PM me or Email me and I will see if I can help.

  4. #4
    We like music. weirdbeardmt's Avatar
    Join Date
    May 2001
    Location
    Channel Islands Girth: Footlong
    Posts
    5,882
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nice one guvnor.
    I swear to drunk I'm not God.
    Matt's debating is not a crime
    Hint: Don't buy a stupid dwarf Clicky

  5. #5
    Pixels Matter! Jimknee's Avatar
    Join Date
    Jul 2001
    Location
    Island Paradise :D
    Posts
    835
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks

  6. #6
    SitePoint Zealot Andthensometoo's Avatar
    Join Date
    Aug 2001
    Location
    Michigan
    Posts
    167
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks. I still have IE 5.01

    While IE 5.01 is outside of hotfix support, it has been tested and found to be unaffected by this vulnerability in all versions (gold, SP1, and SP2)
    "If you handle with products .. this is a word to see It"
    elvis.isnotalive.com
    My Complaint Dept
    Visit Interceptor's AV review

  7. #7
    Are you ready for BSD? Marshall's Avatar
    Join Date
    Dec 2001
    Posts
    373
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As of Dec 13, there's a new security update for IE5.5SP2 and IE6:

    http://www.microsoft.com/windows/ie/...75/default.asp

    - Marshall

  8. #8
    SitePoint Wizard
    Join Date
    Jul 1999
    Location
    Chicago
    Posts
    2,629
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I installed the patch and started using IE again. It froze 2 times in 2 hours, so I quit using IE. Anyone else have the same experience?

    Everything just stopped. Well, mostly everything. I could still ping the box and my music would play, but the display stopped and I couldn't move my mouse or type or do anything, not even CTRL-ALT-DELETE.

  9. #9
    Are you ready for BSD? Marshall's Avatar
    Join Date
    Dec 2001
    Posts
    373
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm... I installed this on an XP box and everything seemed fine for a few days. Then it did something strange last night... shut itself off for no reason and, after it came back up, both IE and Outlook wouldn't start for a while. It never froze on me, though. I've restarted since with no problems.

    Dunno.

    - Marshall

    *adds a 'use-at-your-own-risk' sticker to this security patch*

  10. #10
    SitePoint Zealot akohl's Avatar
    Join Date
    May 2001
    Location
    Israel
    Posts
    184
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    This is ridiculous! here's my solution!

    In order to use ie, I have to download the service pack (17 megs!), install it, which could involve comlications, and then the patch (however many megs) and then install it with all of the further complications involved, and to do this I have to temporarily disable my antivirus program, at my own risk of course. And then I'll have to do it again in another few months when another threat is discovered.

    How about this for an easier solution. Less big downloads, complicated installations and hd reformatts due to getting so stuck with virussues that this seems the least complicated way out!

    Use netscape or opera for online browsing, ie for offline site testing only and eudora for email. Oh, and also stop iis5 services while on the internet. I've heard that The nimba virus can find its way into your system that way as well.

  11. #11
    SitePoint Addict coolbuzz's Avatar
    Join Date
    Aug 2001
    Location
    Here
    Posts
    223
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the info


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •