More Bad News for IE Users
Posted by: Giorgio in Advisories, IE, Mozilla, Security, NoScript
Latest updates from Microsoft: the critical remote execution bug which we already talked about affects all IE versions (included IE8 beta) on every supported Windows operating system.
The bulletin also corrects some early assumptions about this unpatched vulnerability, which is being actively exploited in the wild from apparently legitimate sites infected through automated SQL injections:
- The hole is in data binding, and not in XML processing like many (me too) reported initially.
- Increasing the security level of the Internet Zone to "High" and disabling active scripting does not suffice to protect you, even if it makes attacker's life slightly harder. Not harder than yours, though, since Microsoft's "Security Zones" have nothing of NoScript's usability...
The only work-around suggested by Microsoft is disabling both active scripting and the OLEDB32 library, which is unluckily required by most applications working with databases.
So, do you really want to keep inflicting yourself that blue "e"? Or are you ready for a red panda?
December 14th, 2008 at 12:26 am
[...] More Bad News for IE Users 14 12 2008 [...]
December 15th, 2008 at 2:24 am
How do you disable the OLEDB32 library?
December 15th, 2008 at 11:44 am
@Aerik:
Open a command prompt and enter:
December 15th, 2008 at 2:52 pm
Why is the link to getfirefox.com nofollowed?
December 15th, 2008 at 3:01 pm
@Ian M:
because of an automatic filter with a whitelist not including it.
December 16th, 2008 at 10:14 pm
I believe I've accidentally caused this to occur in one of the web-apps I made for the company I work for. No other browser has the issue, but on IE 6,7,8 it decides it wants to hog 50% of the processor. Glad to know the issue is at least being addressed, albeit a bit odd.
December 17th, 2008 at 1:45 am
That's not bad news. That's not even news. We've all known for years that IE is insecure.
December 17th, 2008 at 4:28 pm
[...] is about to release an out of band patch for its IE data-binding remote execution vulnerability which escaped the patch pack issued on Tue, Dec [...]
December 17th, 2008 at 7:30 pm
[...] הדרך, משהו שגרוע בכל דפדפני מייקרוסופט. אמרתי לכם שצריך להתרחק מהם, ועדיין אני אגיד לאורך כל [...]
December 18th, 2008 at 12:05 pm
I thought something was so strange when just "regsvr32 -u oledb32.dll" wasn't working. That's what I did the last time I unregistered a .dll
p.s. I just typed one of the most interesting recaptcha's ever.
December 18th, 2008 at 12:19 pm
@Aerik:
What?
December 19th, 2008 at 12:07 pm
but i still use IE a lot, LOL~