previous Escape From IE, Now!
It's simple like... next
12 12 2008

More Bad News for IE Users

Posted by: Giorgio in Advisories, IE, Mozilla, Security, NoScript

Blue or red
Latest updates from Microsoft: the critical remote execution bug which we already talked about affects all IE versions (included IE8 beta) on every supported Windows operating system.
The bulletin also corrects some early assumptions about this unpatched vulnerability, which is being actively exploited in the wild from apparently legitimate sites infected through automated SQL injections:

  • The hole is in data binding, and not in XML processing like many (me too) reported initially.
  • Increasing the security level of the Internet Zone to "High" and disabling active scripting does not suffice to protect you, even if it makes attacker's life slightly harder. Not harder than yours, though, since Microsoft's "Security Zones" have nothing of NoScript's usability...

The only work-around suggested by Microsoft is disabling both active scripting and the OLEDB32 library, which is unluckily required by most applications working with databases.

So, do you really want to keep inflicting yourself that blue "e"? Or are you ready for a red panda?

This entry was posted on Friday, December 12th, 2008 at 6:09 pm and is filed under Advisories, IE, Mozilla, Security, NoScript. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

12 Responses to “More Bad News for IE Users”

  1. #1 hackademix.net » It's simple like... says:
    December 14th, 2008 at 12:26 am

    [...] More Bad News for IE Users 14 12 2008 [...]

  2. #2 Aerik says:
    December 15th, 2008 at 2:24 am

    How do you disable the OLEDB32 library?

  3. #3 Giorgio says:
    December 15th, 2008 at 11:44 am

    @Aerik:
    Open a command prompt and enter:

    Regsvr32.exe /u "C:\Program Files\Common Files\System\Ole DB\oledb32.dll"

    Impact of workaround: All OLE DB and ADO applications will stop functioning. This includes all ASP/ADO implementations, SQL Server linked services, .Net applications using the System.Data.OLEDB namespace, and some Office functionality that accesses external data.

  4. #4 Ian M says:
    December 15th, 2008 at 2:52 pm

    Why is the link to getfirefox.com nofollowed?

  5. #5 Giorgio says:
    December 15th, 2008 at 3:01 pm

    @Ian M:
    because of an automatic filter with a whitelist not including it.

  6. #6 Brandon Jones says:
    December 16th, 2008 at 10:14 pm

    I believe I've accidentally caused this to occur in one of the web-apps I made for the company I work for. No other browser has the issue, but on IE 6,7,8 it decides it wants to hog 50% of the processor. Glad to know the issue is at least being addressed, albeit a bit odd.

  7. #7 Fabien says:
    December 17th, 2008 at 1:45 am

    That's not bad news. That's not even news. We've all known for years that IE is insecure.

  8. #8 hackademix.net » Opera, Firefox and IE Security Updates: All Together, All the Same? says:
    December 17th, 2008 at 4:28 pm

    [...] is about to release an out of band patch for its IE data-binding remote execution vulnerability which escaped the patch pack issued on Tue, Dec [...]

  9. #9 ציפור הרעם 3 - מוכנים לשינויים? « הבלוג של שימי says:
    December 17th, 2008 at 7:30 pm

    [...] הדרך, משהו שגרוע בכל דפדפני מייקרוסופט. אמרתי לכם שצריך להתרחק מהם, ועדיין אני אגיד לאורך כל [...]

  10. #10 Aerik says:
    December 18th, 2008 at 12:05 pm

    I thought something was so strange when just "regsvr32 -u oledb32.dll" wasn't working. That's what I did the last time I unregistered a .dll

    p.s. I just typed one of the most interesting recaptcha's ever.

  11. #11 Giorgio says:
    December 18th, 2008 at 12:19 pm

    @Aerik:

    one of the most interesting recaptcha's ever

    What?

  12. #12 user says:
    December 19th, 2008 at 12:07 pm

    but i still use IE a lot, LOL~

Bad Behavior has blocked 2416 access attempts in the last 7 days.