Latest security glitch

Does anyone know, regarding the latest security hole announced on July 6, can
we avoid fooling around with the workaround by simply switching to Firefox or
another browser until a patch is released?

What latest security hole would that be?

"BXPS" <BXPS@discussions.microsoft.com> wrote in message
news:5C0AFA47-B997-46BA-90DB-C677ACEE93F6@microsoft.com...
: Does anyone know, regarding the latest security hole announced on July 6,
can
: we avoid fooling around with the workaround by simply switching to Firefox
or
: another browser until a patch is released?

Has anyone tried using the registry-modification workaround listed in
http://www.microsoft.com/technet/se...ory/972890.mspx yet?

It seems like you'd have to make a big honking registry file with all 40-something entries
listed set to the "Compatibility Flags"=dword:00000400 value.

But I wonder if that change (manual/scripted/deployed) could be updated accommodated by
whatever MSFT would issue come Patch Tuesday...

BXPS - I would imagine that using FFox would be a good start, but if IE gets called by
another application (say email link to URL), that might be enough protection...

TIA,
BM

Tom Willett wrote:
> What latest security hole would that be?
>
> "BXPS" <BXPS@discussions.microsoft.com> wrote in message
> news:5C0AFA47-B997-46BA-90DB-C677ACEE93F6@microsoft.com...
> : Does anyone know, regarding the latest security hole announced on July 6,
> can
> : we avoid fooling around with the workaround by simply switching to Firefox
> or
> : another browser until a patch is released?
>
>

Typo:
should be "but if IE gets called by another application (say email link to URL), that NOT
might be enough protection..."

Brian MXP wrote:
> Has anyone tried using the registry-modification workaround listed in
> http://www.microsoft.com/technet/se...ory/972890.mspx yet?
>
> It seems like you'd have to make a big honking registry file with all
> 40-something entries listed set to the "Compatibility
> Flags"=dword:00000400 value.
>
> But I wonder if that change (manual/scripted/deployed) could be updated
> accommodated by whatever MSFT would issue come Patch Tuesday...
>
> BXPS - I would imagine that using FFox would be a good start, but if IE
> gets called by another application (say email link to URL), that might
> be enough protection...
>
> TIA,
> BM
>
> Tom Willett wrote:
>> What latest security hole would that be?
>>
>> "BXPS" <BXPS@discussions.microsoft.com> wrote in message
>> news:5C0AFA47-B997-46BA-90DB-C677ACEE93F6@microsoft.com...
>> : Does anyone know, regarding the latest security hole announced on
>> July 6, can
>> : we avoid fooling around with the workaround by simply switching to
>> Firefox or
>> : another browser until a patch is released?
>>

Download the MicrosoftFixit50287.msi from this KB article, save it, and
apply it to the systems that need it:

Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX
control could allow remote code execution
http://support.microsoft.com/kb/972890

There's also a ' Disable workaround Fixit ' on the page for when the
patch is released but ... since the patch will set the same killbits
that the Fixit does, there should be no need to install it unless there
are other Security fixes included ... as in a Cumulative Security Update
for IE.



MowGreen
===============
*-343-* FDNY
Never Forgotten
===============



Brian MXP wrote:

> Typo:
> should be "but if IE gets called by another application (say email link
> to URL), that NOT might be enough protection..."
>
> Brian MXP wrote:
>
>> Has anyone tried using the registry-modification workaround listed in
>> http://www.microsoft.com/technet/se...ory/972890.mspx yet?
>>
>> It seems like you'd have to make a big honking registry file with all
>> 40-something entries listed set to the "Compatibility
>> Flags"=dword:00000400 value.
>>
>> But I wonder if that change (manual/scripted/deployed) could be
>> updated accommodated by whatever MSFT would issue come Patch Tuesday...
>>
>> BXPS - I would imagine that using FFox would be a good start, but if
>> IE gets called by another application (say email link to URL), that
>> might be enough protection...
>>
>> TIA,
>> BM
>>
>> Tom Willett wrote:
>>
>>> What latest security hole would that be?
>>>
>>> "BXPS" <BXPS@discussions.microsoft.com> wrote in message
>>> news:5C0AFA47-B997-46BA-90DB-C677ACEE93F6@microsoft.com...
>>> : Does anyone know, regarding the latest security hole announced on
>>> July 6, can
>>> : we avoid fooling around with the workaround by simply switching to
>>> Firefox or
>>> : another browser until a patch is released?
>>>

Okay, thanks!

"MowGreen" wrote:

> Download the MicrosoftFixit50287.msi from this KB article, save it, and
> apply it to the systems that need it:
>
> Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX
> control could allow remote code execution
> http://support.microsoft.com/kb/972890
>
> There's also a ' Disable workaround Fixit ' on the page for when the
> patch is released but ... since the patch will set the same killbits
> that the Fixit does, there should be no need to install it unless there
> are other Security fixes included ... as in a Cumulative Security Update
> for IE.
>
>
>
> MowGreen
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
>
> Brian MXP wrote:
>
> > Typo:
> > should be "but if IE gets called by another application (say email link
> > to URL), that NOT might be enough protection..."
> >
> > Brian MXP wrote:
> >
> >> Has anyone tried using the registry-modification workaround listed in
> >> http://www.microsoft.com/technet/se...ory/972890.mspx yet?
> >>
> >> It seems like you'd have to make a big honking registry file with all
> >> 40-something entries listed set to the "Compatibility
> >> Flags"=dword:00000400 value.
> >>
> >> But I wonder if that change (manual/scripted/deployed) could be
> >> updated accommodated by whatever MSFT would issue come Patch Tuesday...
> >>
> >> BXPS - I would imagine that using FFox would be a good start, but if
> >> IE gets called by another application (say email link to URL), that
> >> might be enough protection...
> >>
> >> TIA,
> >> BM
> >>
> >> Tom Willett wrote:
> >>
> >>> What latest security hole would that be?
> >>>
> >>> "BXPS" <BXPS@discussions.microsoft.com> wrote in message
> >>> news:5C0AFA47-B997-46BA-90DB-C677ACEE93F6@microsoft.com...
> >>> : Does anyone know, regarding the latest security hole announced on
> >>> July 6, can
> >>> : we avoid fooling around with the workaround by simply switching to
> >>> Firefox or
> >>> : another browser until a patch is released?
> >>>
>

Would you suggest that this "FixIt" be used on my Vista also?

I read "Though unaffected by this vulnerability, Microsoft is recommending
that Windows Vista and Windows Server 2008 customers remove support for this
ActiveX Control within Internet Explorer using the same Class Identifiers as
a defense-in-depth measure."

And does anyknow know what they mean by: "using the same Class Identifiers
as a defense-in-depth measure?"

Although there is nothing on the Fixit page that says it's for Vista, it
is, Alice.
All it will do is set the same killbits for the CLSIDs that are listed
in the Security Advisory:

General Information > Suggested Actions > Workarounds
The CLSIDs are listed under Workarounds
The automated Fixit tool sets killbits so that none of the CLSIDs listed
can run.

Since there is no legitimate use of the ActiveX in question, applying
the Fixit to a Vista system provides what MS describes a 'defense in
depth' .
In plain English ... applying the Fixit will *not* cause any loss of
functionality and despite the fact that Vista is not vulnerable to this
exploit, provides another layer of protection, just in case. <w>


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============




AliceZ wrote:

> Would you suggest that this "FixIt" be used on my Vista also?
>
> I read "Though unaffected by this vulnerability, Microsoft is recommending
> that Windows Vista and Windows Server 2008 customers remove support for this
> ActiveX Control within Internet Explorer using the same Class Identifiers as
> a defense-in-depth measure."
>
> And does anyknow know what they mean by: "using the same Class Identifiers
> as a defense-in-depth measure?"

"Tom Willett" <tom@youreadaisyifyoudo.com> wrote in message
news:eXKy39x$JHA.1336@TK2MSFTNGP05.phx.gbl
> What latest security hole would that be?

http://www.microsoft.com/technet/se...ory/972890.mspx

>
> "BXPS" <BXPS@discussions.microsoft.com> wrote in message
> news:5C0AFA47-B997-46BA-90DB-C677ACEE93F6@microsoft.com...
>> Does anyone know, regarding the latest security hole announced on
>> July 6, can we avoid fooling around with the workaround by simply
>> switching to Firefox or another browser until a patch is released?

"BXPS" <BXPS@discussions.microsoft.com> wrote in message
news:5C0AFA47-B997-46BA-90DB-C677ACEE93F6@microsoft.com
> Does anyone know, regarding the latest security hole announced on
> July 6, can we avoid fooling around with the workaround by simply
> switching to Firefox or another browser until a patch is released?

It almost seems that way. The problem is ActiveX in IE.