Webmaster Forum Rules | Posting Guide | Contact Us | Testimonials | Contributing Geek Program | Advertise on Geek/Talk
Welcome to the GeekTalk Webmaster Discussion Forums from GeekVillage.com

Click Here To Register. It's Free!

Go Back   geek/talk: Signature-free discourse for serious web publishers > YOUR CREATION: Building & Maintaining A Web Site > Web Design and Webmaster Issues
User Name
Password
Register FAQ Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
Old 11-18-2001, 10:53 AM   #1
singloon

GeekGuide
 
singloon's Avatar
 
Join Date: Jan 2000
Location: Brisbane, Australia
Posts: 2,167
Exclamation [Internet Explorer 5.5 & 6.0 security patch]!

To all members using IE 5.50 and 6.0 browsers please read this http://news.cnet.com/news/0-1005-200...html?tag=cd_mh

security patch can be downloaded and installed from here

What vulnerabilities are eliminated by this patch?

This patch, when installed, eliminates all known security vulnerabilities affecting Internet Explorer 5.5 and 6.0. In addition to eliminating all previously discussed vulnerabilities affecting these versions, it also eliminates three new ones.

============================================
Installation platforms:
- The IE 5.5 patch can be installed on IE 5.5 Service Pack 2.
- The IE 6 patch can be installed on IE 6 Gold.

Inclusion in future service packs:
The fix for these issue will be included in IE 5.5 Service Pack 3, and IE 6 Service Pack 1.

Reboot needed: Yes

Verifying patch installation:

- To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q312461 is listed in the Update Versions field.

- To verify the individual files, use the patch manifest provided in Knowledge Base articles Q312461.
============================================

If you can't update yet... Microsoft advises that you


Microsoft is urging IE users to disable active scripting in the their browser settings. In addition, consumers using Outlook Express should set their preferences within the mail program to allow only "Restricted Sites" to load, according to the company.

To disable active scripting in IE, open the Tools menu in the browser, followed by Internet Options and then the tab for Security. Next, open the Custom Level option; in the Settings box, scroll down to the Scripting section. Click Disable under "Active scripting" and "Scripting of Java applets." Click OK, and then click OK again.


Explanation

Quote:
Microsoft has issued a patch almost a week after a vulnerability was revealed in Internet Explorer that would allow hackers to gain access to someone's cookies and expose the sensitive information they contain.

The exploit was discovered last week and reported publicly rather than directly to Microsoft. At the time, the software giant advised customers to disable Active Scripting, to protect them from the Web-hosted and mail-borne variants of the vulnerability.

Microsoft says the patch released Wednesday represents a fast turnaround by its security team.

"The vulnerability was publicly disclosed by someone who discovered the vulnerability on Nov. 8, which was extremely irresponsible," said a Microsoft representative. "The immediate action that we took was to issue a work-around so that system administrators could protect themselves, and a patch was issued yesterday."

The high-risk vulnerability in IE 5.5 and 6.0 allows malicious code to gain unauthorized access to the cookies that are used to customize and retain a site's setting for a customer across multiple sessions. Because some e-commerce Web sites use cookies to store sensitive information about consumers, it is possible that personal information could be exposed through the software hole.

"It is a serious issue--people have always been worried about cookies, but have never considered that someone else could use the information from a Web site that they run," said Mark Read, security analyst at MIS Corporate Defence Solutions.

The vulnerability came shortly after security flaws were found in Microsoft's Passport authentication system, causing the software maker to remove part of the service from the Internet. The privacy breach in Wallet, a Passport service that keeps track of data used by e-commerce sites, potentially exposed the financial data of thousands of consumers, undermining the company's recent efforts to convince people that it is serious about security.

Read said he thinks it unlikely that the privacy policies of e-commerce sites will allow customer credit card details to be displayed as cookie information, but there is the potential for hackers to use the information to order goods online.

Cookies are text files, saved on a computer hard drive as a unique reference for identifying individual customers. "There is no easy way to get around cookies, as there needs to be some way of placing a unique identifier on a computer to say 'this is me'--the only alternative is digital certificates," said Read.
__________________

.
singloon is offline   Reply With Quote
Old 11-18-2001, 12:12 PM   #2
LastActionHero
Registered User
 
LastActionHero's Avatar
 
Join Date: Jun 2001
Location: New Delhi, India
Posts: 615
Default

Thanks Singloon! I missed that one. Trust MS to come up with new and serious holes in their software.

Side Note: If you want to know other vulnerabilities on your system download and run CatchUp software from catchup.com (Another C|Net service). Just follow the instructions. It's an excellent utility.
LastActionHero is offline   Reply With Quote
Old 11-20-2001, 05:01 PM   #3
darnell
Registered User
 
darnell's Avatar
 
Join Date: Mar 2001
Location: Suwanee, GA, USA
Posts: 704
Default

Take comfort in knowing that MS knew about this issue before anyone warned the public . Only after the public was warned via Online Solutions going public with the problem did MS decide it was time to warn everyone....

Nice huh? NOT....
darnell is offline   Reply With Quote
Old 11-20-2001, 06:55 PM   #4
sdarken
Registered User
 
sdarken's Avatar
 
Join Date: Sep 1999
Location: San Francisco
Posts: 1,396
Default

I am not a Microsoft groupie but I don't think that a one week delay is bad considering that IE5 has been out for ages and this is the first time that this security problem has been reported to the public.

Microsoft must get lots of people sending in all sorts of dubious security problems and I presume that when they make an announcement they really want to be able verify that the problem really exists and then offer a proper fix. It has to take some time to figure out a solution and then make certain that the fix is not going to cause big problems in some other area. Imagine how horrible it would be to be the person that authorizes the release of a patch which actually makes more problems than it fixes.

There is no reason that Online Solutions (the company that found the problem) had to issue a press release after only giving M.S one week to solve it. Seems as though Online Solutions was looking for a little media time for themselves.

MS has a lot to lose with these sorts of issues and you can be certain that they were busy looking for a solution before this was made public.
sdarken is offline   Reply With Quote
Old 11-20-2001, 09:36 PM   #5
darnell
Registered User
 
darnell's Avatar
 
Join Date: Mar 2001
Location: Suwanee, GA, USA
Posts: 704
Post

All MS had to do was send a security update informing IE users to turn off Active Scripting. I don't think companies REALLY make some security issues a priority till the public is informed. They may be "working on it", but they really make a fix after things hit the fan. I feel this way, because I have worked at many companies that make products used by the world and that's the approach they all took. I'm sure IE like other products have tons of other holes that are still unknown, but after being informed, they should make a fix top priority and inform users.

I don't beleive that Online Solutions would have been the only company to discover the problem and I think some Black-Hat hackers may have already known about it. Which is why I feel security holes should be made public as soon as they are found. I know everyone does not agree with that, but I for one think the public needs to know ASAP. Then everyone can take preventive measures like turn off Active Scripting or use a different browser till the hole is patched.

These issues affect more than just MS (of course) and so we all should be aware of issues the moment they are discovered. Then we can decide if we want to keep using the product.

I think a group like Security Focus should be told about a bug first. They will make it public and inform MS about the issue. This informs the public, while forcing MS to make a fix top priority.

Every time a security hole hits the press, MS release a patch days later. Don't tell the press, and well...this time a week past and they still had yet to produce a patch.
darnell is offline   Reply With Quote
Old 11-21-2001, 01:26 AM   #6
knuyie
Member.
 
knuyie's Avatar
 
Join Date: Nov 2001
Location: U.S.A
Posts: 2
Default

Thanks for the warning, but I have one problem. I have Internet Explorer 5.5, but it isn't exactly Internet Explorer Service Pack 2, so I can install the update to fix this problem. Any other tips?
knuyie is offline   Reply With Quote
Old 11-21-2001, 06:44 AM   #7
singloon

GeekGuide
 
singloon's Avatar
 
Join Date: Jan 2000
Location: Brisbane, Australia
Posts: 2,167
Default

i had IE 5.5 SP1 so i upgraded to 5.5 SP2 and then applied the patch
__________________

.
singloon is offline   Reply With Quote
Old 11-21-2001, 03:28 PM   #8
darnell
Registered User
 
darnell's Avatar
 
Join Date: Mar 2001
Location: Suwanee, GA, USA
Posts: 704
Default

To stay up on all security notifications made by Microsoft, see this page: http://www.microsoft.com/technet/tre...tin/notify.asp

If you sign up, they will e-mail you each time the make a new fix or acknowledge a security issue.
darnell is offline   Reply With Quote
Old 11-21-2001, 03:36 PM   #9
sdarken
Registered User
 
sdarken's Avatar
 
Join Date: Sep 1999
Location: San Francisco
Posts: 1,396
Default

You can also use the very handy Windows Update facilities at Microsoft to get the latest updates and set up your preferences so that your machine prompts you to pull down critical updates when they are released.

Last edited by sdarken; 11-21-2001 at 03:37 PM.
sdarken is offline   Reply With Quote
Old 11-21-2001, 11:43 PM   #10
knuyie
Member.
 
knuyie's Avatar
 
Join Date: Nov 2001
Location: U.S.A
Posts: 2
Default

Thanks guys! I've installed the upgrades and patch.
knuyie is offline   Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IMPROVED security protection for Internet Explorer Larwee Web Design and Webmaster Issues 3 03-22-2005 03:54 PM
internet explorer 5.5 woes plug-in trouble Mehere Web Design and Webmaster Issues 2 04-21-2002 02:37 AM
Urgent: IE 5.5 and IE 6.0 Security Hole LastActionHero Web Design and Webmaster Issues 0 12-14-2001 01:19 PM
Security Tyme Web Design and Webmaster Issues 0 09-15-2000 07:59 AM
unix problem of web hosting. security problem. CYBERWORLD Web Design and Webmaster Issues 13 07-08-2000 05:08 PM

Please support our advertisers. They ensure our survival.

All times are GMT -5. The time now is 10:50 PM.


GeekVillage.com is copyright © 1998-2015 Curiosity Cave - Science gifts for clever kids. All rights reserved.
Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.