Microsoft warns of serious security hole

[MowGreen]

No, the article specifically says that as far as they know it hasn't
been exploited - yet. It's something that was found in-house so to
speak. You can bet now it'll be exploited though, since it's been
released to the public!

HTH,

Twayne`

You obviously have a reading comprehension issue. From the Security
Advisory:

We are aware of attacks attempting to exploit the vulnerability.

Can you understand that sentence ?
Now, read this:

IE 0day exploit domains (constantly updated)
http://isc.sans.org/diary.html?storyid=6739

See the the sites listed ? Now tell us again how this vulnerability was
discovered ' in house ' and how it's not being actively exploited.

On second thought, just forget it. I can't waste my time with ignorant
trolls.


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

 

[Twayne]

You obviously have a reading comprehension issue. From the Security
Advisory:

As it explains elsewhere, it has NOT been exploited YET, to their
knowledge. After the disclosure though you can bet it will be if they
can figure out the rest of what they need!

Can you understand that sentence ?
Now, read this:

IE 0day exploit domains (constantly updated)
http://isc.sans.org/diary.html?storyid=6739

Means little; not a good source.

See the the sites listed ? Now tell us again how this vulnerability
was discovered ' in house ' and how it's not being actively exploited.

That may or may not be true, depending on how fast the bad boys can
react. A quick research on your "diary" shows it to not be that accurate
OR credible and heavily biased.

On second thought, just forget it. I can't waste my time with ignorant
trolls.

Good; until you learn some interpersonal skills and reading
comprehension improves, it's the right thing to do.

Twayne

 

[Anteaus]

The worrying thing is that the exploit (like most others) has been available
for hackers to exploit for the best part of a decade.

Which raises the question, how effective is patching, securitywise? Assuming
that (say) 50% of all NT/2000/XP exploits have now been found and patched,
that leaves 50% still available for hackers to exploit. If the hackers have
found some of the other 50% and the security guys haven't... then you have a
problem. No matter how well-patched you are.

Interestingly, the CCP (among other repressive governments) has teams of
hackers who are paid to do nothing other than find exploits in operating
systems that can be used to inject spyware into western systems containing
classified information. Thus it is very probable that a fair proportion of
that other 50% is known to someone, somewhere.

On that basis, patching is still a wise precaution, but it guarantees
NOTHING.

Just making that point, because it sometimes seems that too much faith is
placed in patching.

AliceZ wrote:

Last update: July 7, 2009 - 6:07 AM
SAN JOSE, Calif. - Microsoft Corp. has taken the rare step of warning about
a serious computer security vulnerability it hasn't fixed yet.

The vulnerability disclosed Monday affects Internet Explorer users whose
computers run the Windows XP or Windows Server 2003 operating software.

 

[AliceZ]

Is there any way that we will be able to tell what the KB number will be of
the "fix" that is "supposed" to fix this "error."
I already installed the "FixItt" 50287," and wonder IF there is a KB fix for
this "problem," will it be 'picked-up' by MS when I do a Critical Update? By
that I mean, will I still get a KB "fix" for the original problem if I
already installed the "FixIt"?
Or, will I still get a KB (critical) update and then I will have to uninsall
the "FixIt" 50287 by using the "Uninstall" program 50288?
Just confusing and hope I am making this clear.
========================

 

[MowGreen]

Microsoft Security Bulletin MS09-032 - Critical
Cumulative Security Update of ActiveX Kill Bits (973346)
http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx

Affected Software
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2

**Severity ratings do not apply to this update because the vulnerability discussed in this bulletin
does not affect this software. However, as a defense-in-depth measure to protect against any possible
new vectors identified in the future, Microsoft recommends that customers of this software apply this
security update.

" Defense in depth " means that just in case the criminals discover new
methods to exploit
this vulnerability.
Has that sunk in yet or do you need another explanation ?

<Plonk>

MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

 

[AliceZ]

Some of us are not as smart as others (think they are) and that is why we ask
questions.
All we ask is that soneone lends some help and enlightenment. Caustic and
rude replies are really not necessary (as I see in some of the posts). If you
cannot offer a polite reply, why reply at all?
Thanks to all who are trying to be helpful.

 

[Jim]

Is there any way that we will be able to tell what the KB number will be
of
the "fix" that is "supposed" to fix this "error."
I already installed the "FixItt" 50287," and wonder IF there is a KB fix
for
this "problem," will it be 'picked-up' by MS when I do a Critical Update?
By
that I mean, will I still get a KB "fix" for the original problem if I
already installed the "FixIt"?
Or, will I still get a KB (critical) update and then I will have to
uninsall
the "FixIt" 50287 by using the "Uninstall" program 50288?
Just confusing and hope I am making this clear.
========================

MS is supposed to release an update to fix this problem on July 14. As they
are well aware of the hotfix, perhaps the installation instructions will
describe what, if anything, the user should do before installing this
update.

People should read the July 09 Security Bulletin for additional information.

Jim

 

[AliceZ]

Thanks, Jim.
Do you know if the "update" will still install, even if the "Fix-It" was
installed previously?
I noticed two critical updates yesterday (7/14/09), and both of them
installed on my PC (KB971633; KB961371), but from reading description, I
don't know if they had anything to do with the "FixIt."
I am just confused because I don't know that much about computers (and I am
sure others might also be feeling the same thing).

======================

 

[AliceZ]

Just an add-on:

Just read the following at

http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx

"Frequently Asked Questions (FAQ) Related to This Security Update
If I have applied the workaround from Microsoft Security Advisory 972890, do
I need to install this security update?
Microsoft Security Advisory 972890 describes a workaround that prevents the
Microsoft Video ActiveX Control from running in Internet Explorer. Customers
can either manually apply this workaround or use the automated Microsoft Fix
it solution in Microsoft Knowledge Base Article 972890 to enable the
workaround. Customers who have applied this workaround using either method do
not need to install this security update."

Can I assume that if we installed the "FixIt," we don't to do anything
(uninstall it, etc.)?

Thanks
Alice

 

[Jim]

Thanks, Jim.
Do you know if the "update" will still install, even if the "Fix-It" was
installed previously?
I noticed two critical updates yesterday (7/14/09), and both of them
installed on my PC (KB971633; KB961371), but from reading description, I
don't know if they had anything to do with the "FixIt."
I am just confused because I don't know that much about computers (and I
am
sure others might also be feeling the same thing).

======================

I also installed some patches yesterday. I was offered 2, and neither
solves the Active X problem. However, I later discovered (not certain how),
that actually there were 3 patches, and the missing one addressed the Active
X problem.

It seems that MS Update determined that the hotfix had been installed, and
that the new security update is not needed on this machine. I'll update my
laptop one day next week, and perhaps I will know more then.

Jim

 

[Tom Willett]

: I also installed some patches yesterday. I was offered 2, and neither
: solves the Active X problem. However, I later discovered (not certain
how),
: that actually there were 3 patches, and the missing one addressed the
Active
: X problem.
:
: It seems that MS Update determined that the hotfix had been installed, and
: that the new security update is not needed on this machine. I'll update
my
: laptop one day next week, and perhaps I will know more then.
:
: Jim
:
:
I had installed the hotfix, and did not uninstall it. I was offered the
patch during the update process and accepted it.

 

[AliceZ]

"Jim" wrote:

Thanks Jim.
I had two patches yesterday also (KB971633; KB961371) and the "Malicious"
one KB 890830. I allowed all three to install.
I was just wondering if the updates from MS would know we had already
installed the FixIt (workaround) and do what was necessary (install or not
install the patch).
I think I might be getting a bit paranoid about this situtation.
I will leave the FixIt as it is (not uninstall it with 50288) and install
future patches without looking at and dissecting each and every one, etc.
It sounds like that is what you are doing also.

======

 

[AliceZ]

Just a FYI....
Tonight I updated the Critical Updates for my Vista (I did not install the
FixIt on this Vista notebook) I received some Critical Updates, and lo and
behold, there was a KB973346 which pertained to KillBits active-X, etc. So, I
presume this is the patch for the the IE Active-X problem.
I had been under the impression that Vista did not need the FixIt for this
Active-X problem. Guess it did after all.
Wonder if other folks with Vista also got this Critical Update KB973346.

 

[Tom Willett]

Why don't you post in a Vista newsgroup?

: Just a FYI....
: Tonight I updated the Critical Updates for my Vista (I did not install the
: FixIt on this Vista notebook) I received some Critical Updates, and lo and
: behold, there was a KB973346 which pertained to KillBits active-X, etc.
So, I
: presume this is the patch for the the IE Active-X problem.
: I had been under the impression that Vista did not need the FixIt for this
: Active-X problem. Guess it did after all.
: Wonder if other folks with Vista also got this Critical Update KB973346.

 

[AliceZ]

I posted it here (FYI) because Vista was mentioned in some of the earlier
threads, and that the FixIt was not "intended" for Vista because Vista "did
not" need the FixIt 'ptach.' That is the only reason why I posted the FYI on
this thread.
==========