Blue or red
Latest updates from Microsoft: the critical remote execution bug which we already talked about affects all IE versions (included IE8 beta) on every supported Windows operating system.
The bulletin also corrects some early assumptions about this unpatched vulnerability, which is being actively exploited in the wild from apparently legitimate sites infected through automated SQL injections:

  • The hole is in data binding, and not in XML processing like many (me too) reported initially.
  • Increasing the security level of the Internet Zone to “High” and disabling active scripting does not suffice to protect you, even if it makes attacker’s life slightly harder. Not harder than yours, though, since Microsoft’s “Security Zones” have nothing of NoScript’s usability…

The only work-around suggested by Microsoft is disabling both active scripting and the OLEDB32 library, which is unluckily required by most applications working with databases.

So, do you really want to keep inflicting yourself that blue “e”? Or are you ready for a red panda?

12 Responses to “More Bad News for IE Users”

  1. #1 hackademix.net » It's simple like... says:

    […] More Bad News for IE Users 14 12 2008 […]

  2. #2 Aerik says:

    How do you disable the OLEDB32 library?

  3. #3 Giorgio says:

    @Aerik:
    Open a command prompt and enter:

    Regsvr32.exe /u “C:\Program Files\Common Files\System\Ole DB\oledb32.dll”

    Impact of workaround: All OLE DB and ADO applications will stop functioning. This includes all ASP/ADO implementations, SQL Server linked services, .Net applications using the System.Data.OLEDB namespace, and some Office functionality that accesses external data.

  4. #4 Ian M says:

    Why is the link to getfirefox.com nofollowed?

  5. #5 Giorgio says:

    @Ian M:
    because of an automatic filter with a whitelist not including it.

  6. #6 Brandon Jones says:

    I believe I’ve accidentally caused this to occur in one of the web-apps I made for the company I work for. No other browser has the issue, but on IE 6,7,8 it decides it wants to hog 50% of the processor. Glad to know the issue is at least being addressed, albeit a bit odd.

  7. #7 Fabien says:

    That’s not bad news. That’s not even news. We’ve all known for years that IE is insecure.

  8. #8 hackademix.net » Opera, Firefox and IE Security Updates: All Together, All the Same? says:

    […] is about to release an out of band patch for its IE data-binding remote execution vulnerability which escaped the patch pack issued on Tue, Dec […]

  9. #9 ציפור הרעם 3 - מוכנים לשינויים? « הבלוג של שימי says:

    […] הדרך, משהו שגרוע בכל דפדפני מייקרוסופט. אמרתי לכם שצריך להתרחק מהם, ועדיין אני אגיד לאורך כל […]

  10. #10 Aerik says:

    I thought something was so strange when just "regsvr32 -u oledb32.dll" wasn’t working. That’s what I did the last time I unregistered a .dll

    p.s. I just typed one of the most interesting recaptcha’s ever.

  11. #11 Giorgio says:

    @Aerik:

    one of the most interesting recaptcha’s ever

    What?

  12. #12 user says:

    but i still use IE a lot, LOL~

Bad Behavior has blocked 21045 access attempts in the last 7 days.