M
Max Burke
What *exactly* does this update fix?????
Does it fix this object data tag vulnerability or not?
<quote>
Description:
eEye Digital Security has discovered a security vulnerability in
Microsoft's Internet Explorer that would allow executable code to run
automatically upon rendering malicious HTML.
This is a flaw in Microsoft's primary contribution to HTML, the Object
tag, which is used to embed basically all ActiveX into HTML pages. The
parameter that specifies the remote location of data for objects is not
checked to validate the nature of the file being loaded, and therefore
trojan executables may be run from within a webpage as silently and as
easily as Internet Explorer parses image files or any other "safe" HTML
content.
This attack may be utilized wherever IE parses HTML, including websites,
email, newsgroups, and within applications utilizing web-browsing
functionality.
http://www.eeye.com/html/Research/Advisories/AD20030820.html
<end quote>
In some other security groups I read the some say that this update not
only **doesn't** fix that vulnerability, Microsoft dont even acknowledge
there is a vulnerability. (in this update) I'm still trying to 'decode'
the information on the Microsoft web page to see if it does or not.
<quote>
What does the patch do?
The patch addresses the vulnerabilities by ensuring that Internet
Explorer performs proper checks when it receives an HTTP response.
Workarounds
Are there any workarounds that can be used to block exploitation of this
vulnerability while I test the patch?
Yes. It should be noted that these workarounds should be considered
temporary measures as they just help block paths of attack rather than
correcting the underlying vulnerability. Microsoft encourages installing
the patch at the earliest opportunity.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp
<end quote>
[Does this mean installing the patch means the work arounds are no
longer needed, or they need to be applied *with * the patch?]
Note I have installed the update, but haven't removed the 'prompt
activeX work arounds' yet....
Does it fix this object data tag vulnerability or not?
<quote>
Description:
eEye Digital Security has discovered a security vulnerability in
Microsoft's Internet Explorer that would allow executable code to run
automatically upon rendering malicious HTML.
This is a flaw in Microsoft's primary contribution to HTML, the Object
tag, which is used to embed basically all ActiveX into HTML pages. The
parameter that specifies the remote location of data for objects is not
checked to validate the nature of the file being loaded, and therefore
trojan executables may be run from within a webpage as silently and as
easily as Internet Explorer parses image files or any other "safe" HTML
content.
This attack may be utilized wherever IE parses HTML, including websites,
email, newsgroups, and within applications utilizing web-browsing
functionality.
http://www.eeye.com/html/Research/Advisories/AD20030820.html
<end quote>
In some other security groups I read the some say that this update not
only **doesn't** fix that vulnerability, Microsoft dont even acknowledge
there is a vulnerability. (in this update) I'm still trying to 'decode'
the information on the Microsoft web page to see if it does or not.
<quote>
What does the patch do?
The patch addresses the vulnerabilities by ensuring that Internet
Explorer performs proper checks when it receives an HTTP response.
Workarounds
Are there any workarounds that can be used to block exploitation of this
vulnerability while I test the patch?
Yes. It should be noted that these workarounds should be considered
temporary measures as they just help block paths of attack rather than
correcting the underlying vulnerability. Microsoft encourages installing
the patch at the earliest opportunity.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp
<end quote>
[Does this mean installing the patch means the work arounds are no
longer needed, or they need to be applied *with * the patch?]
Note I have installed the update, but haven't removed the 'prompt
activeX work arounds' yet....