Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    If you use IE, don't at least not for now




    PATCH WATCH UPDATE


    If you use IE, don't at least not for now


    By Susan Bradley

    A serious vulnerability in Internet Explorer 6 through 9 has come to light, and there's no patch at this time.
    If you must use Internet Explorer for specific applications, use another browser as much as possible and remove or disable Java.

    The full text of this column is posted at windowssecrets.com/patch-watch/if-you-use-ie-don-t-at-least-not-for-now (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    5 Star Lounger
    Join Date
    Nov 2010
    Posts
    665
    Thanks
    1
    Thanked 26 Times in 24 Posts
    I virtualize my browsing (sandboxie) and do that in a virtual XP OS so double-virtualize. Still, I might think of installing an alternative browser soon; depends on how fast a hot patch gets done by M$.

  3. #3
    2 Star Lounger NTLS's Avatar
    Join Date
    Mar 2010
    Location
    Great LAND of TEXAS
    Posts
    122
    Thanks
    3
    Thanked 4 Times in 3 Posts
    For this type of a problem as well as the WS Hack issue, as soon as you discover or are aware of such a problem there would be a very important need, in this day and age of threats that are not necessarily just for websites but all on the web, an OUT of CYCLE mailing to inform your members that do not visit the Lounge very offten. I for one do visit when possible, which is not very often.

    It should be considered a Standard Practice Policy for all websites to issue a WARNING message to any addy they have within their mailings. I am not just suggesting this, it should be written up as a STANDARD for all websites. Maybe the W3 should be included in this decision so it can be used World Wide, I know each country would need to address this for themselves, but; we are a community that has spread WORLD WIDE. We need to also be protecting each other as well as ourselves.

    If any other has an idea of how to put this out as mentioned or modified to include any other idea to make this a necessary issue ASAP are welcomed and appreciated

    I also leave it open to you, at WSs, to handle this as you see fit
    TIA, CU L8R,
    NTxLS Win7 Pro 64bit SP1; FireFox v49.x, all with the latest updates

  4. #4
    New Lounger
    Join Date
    Dec 2009
    Location
    Chicago
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I got worried after reading the sentence, "This type of threat is why we recommend setting up a non-admin account on the PC you use most of the time."

    I use Firefox all the time. Should I set up a non-admin account on it? And what IS a non-admin account and how does one set one up?

    Thank you for this and other articles.

    In case you haven't guessed, I'm a newbie.

  5. #5
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    @ Walking D1aster: welcome to the Lounge!

    Using a non admin account to run your day-to-day business on a PC is a sound and well established practice. Many attacks on machines will only be able to change settings limited to the privileges of the currently logged in user. If that user has non-admin privileges the effect of the malware is much more limited and easier to recover from.

    There are several ways to setup a limited account, depending on which version of Windows you use. In general go to Control Panel, then into User Accounts and create a new account. Set that account with a password and make it an Administrator. Next log out from your current account and log into the new Administrator account. Then go back to Control Panel and User Accounts. Now select Manage a Different Account and choose you pre-existing account. In there you can change it to a limited account (sometimes described as a standard account depending on which version of Windows you use).

    Finally log out of the Administrator account and log back into you pre-existing account. Nothing will have changed, except in that pre-existing account, you will not be able to install or remove software and you will not be able to make system wide changes. Since you can't do those things, neither can a malware attack. If you need to install software, you can Run as Admin (if using Vista or above), or log out and log into the Administrator account if using XP. It sounds long winded, but most people rarely need to make system wide changes and if they do, its very quick to switch accounts to do so.

    :
    :
    :

    On a different topic, I'm not 100% sure of the need to stop using internet explorer due to the disclosed vulnerability as suggested by Susan and others elsewhere. Other browsers have vulnerabilities too and, frankly, the biggest risk a computer user faces is caused by their own online habits. By running from a non-admin account, using a multi-layered security and practicing safe browsing habits, most users will be protected well enough until an out-of-band patch is released for this issue (it's being worked on right now).
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  6. The Following 3 Users Say Thank You to Tinto Tech For This Useful Post:

    bobprimak (2012-09-20),Dick-Y (2012-09-20),dkmac (2012-09-24)

  7. #6
    Lounger
    Join Date
    May 2010
    Location
    Wisconsin
    Posts
    43
    Thanks
    9
    Thanked 8 Times in 7 Posts
    So far as I could tell, Opera is also a reasonable alternative browser. Or Chromium - Chrome without the Googly bits. Since I run XP in a virtual machine and only use IE for Windows Update, I'm not going to pay undue attention to this other than as it can affect people I know who still use vulnerable IE versions.

    I like the idea of sandboxing Internet use. For most people I know I suggest as well a separate non-admin account and using an alternative browser. Since XP goes totally out of support in April '14, I'm working to either transition them to an upgraded Windows version (and hardware upgrades) or to Linux depending on their needs, capabilities, and budget.

    The single biggest problem I've found is with those who have business apps tied to old versions of IE. Mitigation gets.... interesting.

  8. #7
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,753
    Thanks
    171
    Thanked 652 Times in 575 Posts
    Microsoft published a fix for this IE issue yesterday, before this Windows Secrets article was published (so much for "I'll post an update in the lounge when it's released"!) :


    "Internet Explorer Fix it available now; Security Update scheduled for Friday

    Feed:
    MSRC
    Posted on: Wednesday, September 19, 2012 6:20 PM
    Author: MSRCTeam

    Earlier this week, an issue impacting Internet Explorer affected a small number of customers. The potential exists, however, that more customers could be affected. As a result, today we have released a Fix it that is available to address that issue. This is an easy, one-click solution that will help protect your computer right away. It will not affect your ability to browse the web, and it does not require a reboot of your computer.

    Then, on this Friday, Sept. 21, we will release a cumulative update for Internet Explorer through Windows Update and our other standard distribution channels. We recommend that you install this update as soon as it is available. If you have automatic updates enabled on our PC, you won’t need to take any action – it will automatically be updated on your machine. This will not only reinforce the issue that the Fix It addressed, but cover other issues as well.

    Today’s Advance Notification Service (ANS) provides additional details about the update we are releasing on Friday - MS12-063. We are planning to release this bulletin as close to 10 a.m. PDT as possible. This cumulative update for Internet Explorer has an aggregate severity rating of Critical. It addresses the publicly disclosed issue described in Security Advisory 2757760 as well as four other Critical-class remote code execution issues.

    We will also hold a special live webcast, during which we’ll take your questions above everything we release on Friday, Sept. 21 at 12 p.m. PDT. Click here to register.

    Thanks –

    Yunsun Wee
    Director, Trustworthy Computing."


    Bruce

  9. The Following 2 Users Say Thank You to BruceR For This Useful Post:

    bobprimak (2012-09-20),Dick-Y (2012-09-20)

  10. #8
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,631
    Thanks
    161
    Thanked 936 Times in 856 Posts
    Thanks Bruce, I read that earlier, then forgot about it as I use IE 10. Darn, it's hell getting old!
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

  11. #9
    3 Star Lounger midnight's Avatar
    Join Date
    Dec 2010
    Location
    Almost Deep East Texas
    Posts
    352
    Thanks
    42
    Thanked 8 Times in 7 Posts
    I was just about to post concerning it. I saw the link in Martin Brinkman's column this morning and went to get it. Have it installed everywhere except my church office and I'm on my way there now.

    BJ

  12. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    Seattle
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I run Ubuntu every now and then with VMWare Player - Would using say Firefox in Ubuntu in a vitual machine be a pretty fool-proof way to stay safe on the internet? I do way too much installing and uninstalling to run my computer as nonadministrator on a regular basis.

  13. #11
    New Lounger Windows_john's Avatar
    Join Date
    Sep 2012
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Oh I totally forgot to inform my old dad about that. Hopefully he wasn`t downloading all the internet again with IE

  14. #12
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,631
    Thanks
    161
    Thanked 936 Times in 856 Posts
    Either uninstall Java or use the link supplied by Bruce to the FixIt site.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

  15. #13
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Fresno, California, USA
    Posts
    259
    Thanks
    0
    Thanked 71 Times in 45 Posts
    You beat me to it, I was coming in today to post that there's a Fixit now but a patch will be out on Friday. Thanks for posting in her before I had a chance to do so. We have to put the newsletter to bed on Wednesday and the fixit came out after the deadline for the newsletter.

    Due to the timing, I'd just wait for the update. I still see that these are targeted attacks right now so I'm comfy in saying to skip the fixit, wait for the update.

  16. #14
    Star Lounger
    Join Date
    Mar 2009
    Posts
    67
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for the info. I uninstalled Java and saw the post for the Microsoft fix. I wonder if this is related to an issue I had the last 2 days. I did a Windows update and a Norton update. The next day, my Norton Internet Security was disabled and I my internet connection was disabled. Yesterday I was updating my sons laptop and the same issue came up. His is a wireless connection and Toshiba tech support couldn't help. I had to do a complete restore to factory settings on the laptop.

    Mike

  17. #15
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,483
    Thanks
    176
    Thanked 152 Times in 129 Posts
    The Fixit should be unneeded after Friday's scheduled out of cycle MS patch for IE. Everyone should get the patch as soon as it's proven safe.

    Sandboxing seems a bit redundant with Chrome and with Windows 8 in general. They both have excellent protections of their own. But one more layer never hurst, as long as it doesn't stop websites from operating.

    I use IE 10 in Windows 8, but otherwise, I use Chrome almost exclusively in Windows 7, and Firefox with NoScript, Ghostery, all Java plugins disabled, and DoNotTrackPlus in Windows XP, along with Comodo Firewall and Comodo DNS. Not failsafe, but better than wide-open IE 9 or earlier in Windows XP. For some features of LibreOffice I still need a Java Runtime. Hopefully they'll get away from that Java dependency sometime soon.

    I use DoNotTrackPlus in all my browsers except IE, just for provacy reasons. I don't use sandboxing, for simplicity reasons. Not that Sandboxie is all that difficult to set up.
    Last edited by bobprimak; 2012-09-20 at 17:23.
    -- Bob Primak --

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •