Results 1 to 3 of 3
  1. #1
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Unpatched IE vulnerability - unofficial patch

    Wonder whether anyone has tried the "unofficial patch" for the latest IE problem. I can't seem to find any documentation on exactly what it does, so I'm reluctant. But maybe one of you is more adventurous?

    eEye Digital Security Releases Multiple Protection Strategies for Zero-Day IE Exploit
    http://www.eeye.com/html/company/press/PR20060327.html
    <UL>

  2. #2
    4 Star Lounger
    Join Date
    Oct 2001
    Location
    Bellevue, Nebraska, USA
    Posts
    569
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Unpatched IE vulnerability - unofficial patch

    I saw that too but did not apply it as I question its need - or more accurately, I question the need to implement an unapproved patch.
    <img src=/S/ranton.gif border=0 alt=ranton width=66 height=37>
    All too often, IMHO, it seems these vulnerabilities are blown WAY out of proportion, often by naggers who just love to complain about anything MS. I feel I must constantly remind folks that this is NOT Microsoft's fault. It is not Internet Explorer's fault, or Bill Gates fault. It is bad guys doing bad things!

    Yes, there is a vulnerability, but just how easy is it to exploit?

    Can the bad guy push it past my NAT router, past my updated AV/AS/AT scanners, past my pop-up and spam blockers, past my firewall, past my own disciplined safe computing practices and then deliver his payload on to my fully updated and patched PC? Then from there, will he be able to activate the exploitation, and finally get his "booty" out past my firewall again?

    Now granted, in some circles, I am considered an IT security expert, at least I get paid to be one, so I am expected to keep my systems safe. But in reality, just like drivers are expected to drive safely and keep their cars in safe running conditions so they do not become a hazard to the rest of us, all PC users are expected to keep their systems safe by keeping them updated, use updated malware scanners, a good FW, scan downloads and attachments before opening, yadda, yadda. This is to keep our own systems safe, but also to keep our systems from being hijacked, turned into zombies, and used against other users. Unfortunately, many users don't for various reasons, one of the most common being fear of being caught with an illegal copy of Windows on their machines!
    <img src=/S/rantoff.gif border=0 alt=rantoff width=66 height=37>

    My advice, make sure your system is fully updated with the latest "official" patches and critical updates. Ensure you are using updated anti-virus, anti-spyware, and anti-Trojan applications with "active scanning" (AKA, "in-resident", "in-memory", "real-time"). Ensure you have a duplex firewall, such as ZoneAlarm, or Kerio that protects against unauthorized incoming AND outgoing access attempts (the XPSP2 Window Firewall is only simplex, it does not stop unauthorized outgoing access attempts). ALWAYS scan downloads and attachments BEFORE opening/installing. Don't open spam. And stay away from sites your momma would disapprove of!

    Finally, if you like Internet Explorer, by all means continue to use it. I do exclusively. Firefox, although a good browser, is NOT the panacea for Internet security as many would have you think.
    Bill (AFE7Ret)
    Freedom is NOT Free!
    Heat is the bane of all electronics!

    ─────────────────────

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Unpatched IE vulnerability - unofficial patch

    Bill, no one can disagree with the need for firewall and antivirus and patching. There are dozens of vulnerabilities, often critical, discovered each month, and at least as many fixed, some quietly, some not so quietly. You won't find me posting about very many of them because those tools really do work.

    But sometimes, this is not enough. In my job I need to do a huge amount of web surfing and visit a lot of questionable web sites. Because I generally allow JavaScript to execute -- much of the web is unusable otherwise -- I personally am vulnerable to this exploit. Accordingly, there is no protection for me from any known security product; my workaround is to mostly use Firefox for the time being.

    For those who confine themselves to safe sites, sites that can't possibly be hacked or spoofed, of course this particular vulnerability does not affect them.

    Regarding this trend of security researchers offering their own patches, it is to be regarded skeptically. Despite their simplicity, these fixes could have unintended consequences, and the sites that make them available have to be completely trusted. The lack of explanation of what this patch does also makes it more difficult to know whether it is a risk worth taking.

    Finally, with respect to Microsoft haters going overboard, some definitely do. In particular, technology "fanboys" who gush about their favorite companies and products clearly lack the objectivity that comes with time and bitter disappointment. But I'm a lawyer, so I'm trained to see lots of shades of gray where others prefer black and white. <img src=/S/wink.gif border=0 alt=wink width=15 height=15>

    I do have to disagree with the assignment of fault solely to those who exploit vulnerabilities. The maker of a defective infant car seat that detaches in an collision is not off the hook simply because a third party was responsible for the accident; no family would accept that. Of course, flaws in Windows generally don't expose people to the risk of death, so the analogy is a bit too dramatic. Still, the software maker's indirect contribution to identity theft, or the consequences of a criminal investigation for hosting a porn FTP site, cannot be ignored. Quality needs to improve, and companies that make their living from software know this and are working on it as hard as they can.

    I think we do best by recognizing that these are tools to be used, not idols nor devils, and trying to be objective in identifying their flaws and helping each other in working around them. Hopefully my posts can be understood in that spirit.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •