E
Eli
Hi there:
A Spybot S&D Scan of my PC finds the following security vulnerability in
its scan:
<<<<
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
Spybot [versions 1.2 and 1.3] offers to correct this by altering the
Registry Key as noted above.
Spybot's report of this security exploit leads me to:
http://www.greymagic.com/security/advisories/gm001-ie/
which is dated February 2002
An index of Grey Magic's Security Advisories:
http://www.greymagic.com/security/advisories/
leads to:
· GM#001-IE: Executing arbitrary commands without Active Scripting or
ActiveX.
Topic: A vulnerability in <object> elements can be exploited with data
binding.
Date: 27-Feb-2002.
Status: Patched by MS02-015
which suggests that the vulnerability had already been patched by MS in
2002.
MS article about patch for this issue Dated Mrach 28, 2002
http://www.microsoft.com/technet/security/bulletin/MS02-015.mspx
This in turn refers to a March 2002 cumulative security update Q319182 for
IE:
http://www.microsoft.com/windows/ie/downloads/critical/Q319182/default.asp
My question here is :
Am I correct in my surmising this security flaw has already been fixed by
the cumulative patches subsequent to Q319182.
I am assuming that Q319182. has been
superseded by later security patches for Internet Explorer, such as SP 1 or
later patches to IE.
If this is so, perhaps it might not be advisable to allow Spybot to alter
the Registry to correct a vulnerability which is no longer pertinent.
If there is something here I'm missing, please let me know.
Thank you
-Eli
A Spybot S&D Scan of my PC finds the following security vulnerability in
its scan:
<<<<
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
Spybot [versions 1.2 and 1.3] offers to correct this by altering the
Registry Key as noted above.
Spybot's report of this security exploit leads me to:
http://www.greymagic.com/security/advisories/gm001-ie/
which is dated February 2002
An index of Grey Magic's Security Advisories:
http://www.greymagic.com/security/advisories/
leads to:
· GM#001-IE: Executing arbitrary commands without Active Scripting or
ActiveX.
Topic: A vulnerability in <object> elements can be exploited with data
binding.
Date: 27-Feb-2002.
Status: Patched by MS02-015
which suggests that the vulnerability had already been patched by MS in
2002.
MS article about patch for this issue Dated Mrach 28, 2002
http://www.microsoft.com/technet/security/bulletin/MS02-015.mspx
This in turn refers to a March 2002 cumulative security update Q319182 for
IE:
http://www.microsoft.com/windows/ie/downloads/critical/Q319182/default.asp
My question here is :
Am I correct in my surmising this security flaw has already been fixed by
the cumulative patches subsequent to Q319182.
I am assuming that Q319182. has been
superseded by later security patches for Internet Explorer, such as SP 1 or
later patches to IE.
If this is so, perhaps it might not be advisable to allow Spybot to alter
the Registry to correct a vulnerability which is no longer pertinent.
If there is something here I'm missing, please let me know.
Thank you
-Eli