T
Tx2
'Press Release' just received in my inbox from Microsoft
Summary:
========
On Friday, July 2, 2004, Microsoft is releasing a configuration
change for Windows XP, Windows 2000, and Windows Server 2003, to
address recent malicious attacks against Internet Explorer, also
know as Download.Ject. More information is available at
www.microsoft.com/presspass.
Windows customers are encouraged to apply this configuration change
immediately to help be protected from current Internet Explorer
exploits. The update is available on Windows Update.
Microsoft's guidance for consumers and enterprises is as follows:
Guidance for Consumers:
=======================
The configuration change will be delivered automatically for
customers that have enabled automatic updates from Windows
Update. The configuration change can also be obtained by
manually visiting the Windows Update site at
http://windowsupdate.microsoft.com .
Guidance for Enterprise customers:
==================================
Enterprise customers are encouraged to review a Knowledge Base
article for guidance on how to deploy the configuration change
across their networks. The Knowledge Base article can be
found at:
http://support.microsoft.com/default.aspx?kbid=870669
Enterprise customers can also download the configuration
change from Microsoft's download center at:
http://download.microsoft.com
* Customers who have installed Windows XP SP2 RC2 are already
protected from the Download.Ject exploit and do not need the
update.
* This configuration change is a defense in depth measure which
disables an ActiveX control known as adodb.stream. Disallowing
this functionality prevents an attacker from placing malicious
code on a PC hard drive and will prevent the Download.Ject attack.
* Customers can get more information about the Download.Ject attack,
how to be protected and how to get cleaned in the event of
infection at:
http://www.microsoft.com/security/incident/download_ject.mspx .
Support:
========
Technical support is available from Microsoft Product Support
Services at 1-866-PC SAFETY (1-866-727-2338). There is no
charge for support calls associated with this update.
International customers can get support from their local Microsoft
subsidiaries. Phone numbers for international support can be found
at: http://support.microsoft.com/common/international.aspx
Additional Resources:
=====================
* Microsoft has created a free monthly e-mail newsletter containing
valuable information to help you protect your network. This
newsletter provides practical security tips, topical security
guidance, useful resources and links, pointers to helpful
community resources, and a forum for you to provide feedback
and ask security-related questions.
You can sign up for the newsletter at:
http://www.microsoft.com/technet/security/secnews/default.mspx
* Protect your PC: Microsoft has provided information on how you
can help protect your PC at the following locations:
http://www.microsoft.com/security/protect/
If you receive an e-mail that claims to be distributing a
Microsoft security update, it is a hoax that may be distributing a
virus. Microsoft does not distribute security updates through
e-mail. You can learn more about Microsoft's software distribution
policies here:
http://www.microsoft.com/technet/security/topics/policy/swdist.mspx
Summary:
========
On Friday, July 2, 2004, Microsoft is releasing a configuration
change for Windows XP, Windows 2000, and Windows Server 2003, to
address recent malicious attacks against Internet Explorer, also
know as Download.Ject. More information is available at
www.microsoft.com/presspass.
Windows customers are encouraged to apply this configuration change
immediately to help be protected from current Internet Explorer
exploits. The update is available on Windows Update.
Microsoft's guidance for consumers and enterprises is as follows:
Guidance for Consumers:
=======================
The configuration change will be delivered automatically for
customers that have enabled automatic updates from Windows
Update. The configuration change can also be obtained by
manually visiting the Windows Update site at
http://windowsupdate.microsoft.com .
Guidance for Enterprise customers:
==================================
Enterprise customers are encouraged to review a Knowledge Base
article for guidance on how to deploy the configuration change
across their networks. The Knowledge Base article can be
found at:
http://support.microsoft.com/default.aspx?kbid=870669
Enterprise customers can also download the configuration
change from Microsoft's download center at:
http://download.microsoft.com
* Customers who have installed Windows XP SP2 RC2 are already
protected from the Download.Ject exploit and do not need the
update.
* This configuration change is a defense in depth measure which
disables an ActiveX control known as adodb.stream. Disallowing
this functionality prevents an attacker from placing malicious
code on a PC hard drive and will prevent the Download.Ject attack.
* Customers can get more information about the Download.Ject attack,
how to be protected and how to get cleaned in the event of
infection at:
http://www.microsoft.com/security/incident/download_ject.mspx .
Support:
========
Technical support is available from Microsoft Product Support
Services at 1-866-PC SAFETY (1-866-727-2338). There is no
charge for support calls associated with this update.
International customers can get support from their local Microsoft
subsidiaries. Phone numbers for international support can be found
at: http://support.microsoft.com/common/international.aspx
Additional Resources:
=====================
* Microsoft has created a free monthly e-mail newsletter containing
valuable information to help you protect your network. This
newsletter provides practical security tips, topical security
guidance, useful resources and links, pointers to helpful
community resources, and a forum for you to provide feedback
and ask security-related questions.
You can sign up for the newsletter at:
http://www.microsoft.com/technet/security/secnews/default.mspx
* Protect your PC: Microsoft has provided information on how you
can help protect your PC at the following locations:
http://www.microsoft.com/security/protect/
If you receive an e-mail that claims to be distributing a
Microsoft security update, it is a hoax that may be distributing a
virus. Microsoft does not distribute security updates through
e-mail. You can learn more about Microsoft's software distribution
policies here:
http://www.microsoft.com/technet/security/topics/policy/swdist.mspx