Internet Explorer Vulnerability Exploited Again

[Stryder]

Full Story: http://www.informationweek.com/story/showA...icleID=15201154

[ibe98765]

Again, this isn't an issue that is totally Microsoft's fault. As is recommended in the article:Microsoft also recommended that users protect themselves against the newer exploits by changing Internet Explorer's security zone settings to prompt before running ActiveX controls, and although the original patch doesn't cover all the bases, install that fix nonetheless.By default, the security settings in the Internet zone don't allow automatic downloading of Active-x controls and other things. You need to review and tune these. Your protection is up to you!As an aside, it is mentioned that other browsers don't have these problems. Why not? Don't they use or allow Active-X controls? If not, what happens when you encounter a site that wants to use Active-x controls?

[nlinecomputers]

Mozilla can't run Active X so the site doesn't work correctly. For example if you try to run Trend Micro's online virus scan, an active X program, you get redirected to this http://housecall.trendmicro.com/housecall/install.html.

[ibe98765]

Mozilla can't run Active X so the site doesn't work correctly.  For example if you try to run Trend Micro's online virus scan, an active X program, you get redirected to this http://housecall.trendmicro.com/housecall/install.html.

Well that stinks! Is Firebird the same? If so, I would have no use for these implementations. There are simply too many sites that I visit that require Active-x.

[nlinecomputers]

Really I use Moz as my main browser and except for Microsoft sites I rearly have trouble with it. I find more Java websites then Active X.

[GolfProRM]

Yes FB is the same... and I'm with Nathan. The only sites I run into where I need ActiveX are MS sites, and the only one I use semi-frequently is Windows update. Everything else now is Java or Flash (what I use anyway).

[Guest LilBambi]

Same here Ryan and Nathan ...MS sites are about the only ones where I absolutely will only use IE and I have had scripting set to prompt me for a long time now just to be on the safe side because of these types of things.I have no problems with Flash or Java sites, CSS or javascripting, php or most anything else in Firebird 6.1 ... as a matter of fact, it handles the alpha channel css sites much better than IE.I still like IE better for forums though ... it handles then a little better with adding codes throughout a message after you have already typed it, but that is a personal preference only. Firebird handles forums well overall.

[Jeber]

it handles then a little better with adding codes throughout a message after you have already typed it

I've only ever used Firebird or Moz since I joined the forums, so I've never seen what they look like in I.E. I'm not sure what the above means, since I don't do much with programming. Could you explain it for the clueless?

[GolfProRM]

Jeber,What she's saying is that when you use any of the buttons in a message post (bold, img, smileys, etc) IE will put the code wherever the cursor is at in the message. For some reason, FB/Moz will only put the code at the end of the message... This is a known problem with Moz/FB, but they have yet to figure out what it'll take to fix it.Fran,I agree with your point, and it is somewhat annoying, but I've just gotten used to typing out the code instead of using the buttons... Don't like having to take the hands off the keyboard.

[Jeber]

Shows how stupid one can be without all the facts. I assumed that was a board problem...never suspected my browser. I've gotten so used to either hand coding them or cut/paste that it's second nature to me now. Maybe I should spend a day here in I.E. just to see the difference. I haven't used Opera here for months, either. Time for some test drives.Thanks, Ryan.

[GolfProRM]

DON'T DO IT JEBER!!! DON'T GO BACK!

[Jeber]

Calm down...just a day, I said. Not to upset our I.E. users, but I just can't stand it as a browser anymore. Too fat a tool bar, limited options, slow, ugly, a security risk...better stop before the fire breaks out. But I am curious now that you've enlightened me. See...it's all your fault! :rolleyes:Of course, I'm usually here on Linux, which could slow me down a bit with I.E.

[Guest LilBambi]

LOL! Never fear Ryan ... Jack'll be right back in Linux :)Thanks for the great explanation Ryan ... that's exactly what I was referring to.

[Prelude76]

i'm in the "Firebird" crowd, and when i come across some sites that need ActiveX, i use IE. actually, there's just a couple, but i need them for work only. You can view a design part from a library in 3D and download what you need right into the design software. oh well, no big deal. personally i'd perfer to see ActiveX be made extinct but until that day comes, i'll just stick to Firebird and HTML and CSS and other codes that can't infect my computer by simply visiting a website.

[Ed_P]

The only sites I run into where I need ActiveX are MS sites,

I agree. I use Netscape constantly and rarely encounter sites that requires ActiveX. Windows Update is indeed one but it auto-starts IE anyways.

Shows how stupid one can be without all the facts. I assumed that was a board problem...never suspected my browser. I've gotten so used to either hand coding them or cut/paste that it's second nature to me now.

You're not alone. I have the same problem with Netscape and assumed the same thing. I also do the hand coding and sometimes use cut&paste also.Course it is common for website programmers to blame their coding shortcomings on the client's browser. So it could still be a board's problem.

[Peachy]

personally i'd perfer to see ActiveX be made extinct but until that day comes, i'll just stick to Firebird and HTML and CSS and other codes that can't infect my computer by simply visiting a website. 

Um ... .NET Framework, anyone? Ximian's Mono Project is an Open Source development hoping to bring a Linux version of Microsoft's .NET Development Framework to the UNIX/Linux software developer community. Basically, since .NET is supposed to allow the creation of applications that run on any operating system/hardware (think ActiveX on steroids) some bright lights in the GPL community decided to development a Linux version of .NET. Since I'm not a programmer, that's the best interpretation of .NET I can explain.

[ibe98765]

I guess you guys don't do enough surfing <g>. I encounter Active-x controls all the time. I know this because I get a prompt whenever a site wants to use one. Not only MS, but a lot of corporate sites use AX. OTOH, a lot of advertisers also use AX, particularly MSNBC and the NY TImes. I always have to click no to them on the prompt and then backup twice or three times to bypass them and return to where I was (even with my ad blocker running)...

[Guest LilBambi]

Actually, there are many sites that use the browser identification to direct you to the page that corresponds to your browser.It might have ActiveX if you use IE, but if you are not using IE, they recognize you have a different browser, and they deliver a page that does not have what is not supported for your browser.

[Ed_P]

Actually, there are many sites that use the browser identification to direct you to the page that corresponds to your browser.

I agree. I visit NY Times and MSNBC sites with Netscape 7.x and have no problems viewing or navigating them and no alerts that I need ActiveX to view or access something.

[Marsden11]

Do you think if I do a Google search I can locate sites that have implemented this latest Active-X exploit?

[ibe98765]

Do you think if I do a Google search I can locate sites that have implemented this latest Active-X exploit?

What exploit are you referring to?

[Peachy]

Methinks he's referring to this one!

[Marsden11]

A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server in a popup window. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it could be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML–based e-mail that would attempt to exploit this vulnerability. A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server during XML data binding. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it could be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML–based e-mail that would attempt to exploit this vulnerability.Since I don't allow HTML based email messages... not a problem. Since I don't surf random sites what are my chances of hitting a trusted site with malicous code?

[Peachy]

And the patch is now available as of yesterday:http://www.microsoft.com/windows/ie/downlo...750/default.asp

[Marsden11]

I caught that patch last night...