Tweet
To all members using IE 5.50 and 6.0 browsers please read this http://news.cnet.com/news/0-1005-200...html?tag=cd_mh
security patch can be downloaded and installed from here
What vulnerabilities are eliminated by this patch?
This patch, when installed, eliminates all known security vulnerabilities affecting Internet Explorer 5.5 and 6.0. In addition to eliminating all previously discussed vulnerabilities affecting these versions, it also eliminates three new ones.
============================================
Installation platforms:
- The IE 5.5 patch can be installed on IE 5.5 Service Pack 2.
- The IE 6 patch can be installed on IE 6 Gold.
Inclusion in future service packs:
The fix for these issue will be included in IE 5.5 Service Pack 3, and IE 6 Service Pack 1.
Reboot needed: Yes
Verifying patch installation:
- To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q312461 is listed in the Update Versions field.
- To verify the individual files, use the patch manifest provided in Knowledge Base articles Q312461.
============================================
If you can't update yet... Microsoft advises that you
Microsoft is urging IE users to disable active scripting in the their browser settings. In addition, consumers using Outlook Express should set their preferences within the mail program to allow only "Restricted Sites" to load, according to the company.
To disable active scripting in IE, open the Tools menu in the browser, followed by Internet Options and then the tab for Security. Next, open the Custom Level option; in the Settings box, scroll down to the Scripting section. Click Disable under "Active scripting" and "Scripting of Java applets." Click OK, and then click OK again.
Explanation
security patch can be downloaded and installed from here
What vulnerabilities are eliminated by this patch?
This patch, when installed, eliminates all known security vulnerabilities affecting Internet Explorer 5.5 and 6.0. In addition to eliminating all previously discussed vulnerabilities affecting these versions, it also eliminates three new ones.
============================================
Installation platforms:
- The IE 5.5 patch can be installed on IE 5.5 Service Pack 2.
- The IE 6 patch can be installed on IE 6 Gold.
Inclusion in future service packs:
The fix for these issue will be included in IE 5.5 Service Pack 3, and IE 6 Service Pack 1.
Reboot needed: Yes
Verifying patch installation:
- To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q312461 is listed in the Update Versions field.
- To verify the individual files, use the patch manifest provided in Knowledge Base articles Q312461.
============================================
If you can't update yet... Microsoft advises that you
Microsoft is urging IE users to disable active scripting in the their browser settings. In addition, consumers using Outlook Express should set their preferences within the mail program to allow only "Restricted Sites" to load, according to the company.
To disable active scripting in IE, open the Tools menu in the browser, followed by Internet Options and then the tab for Security. Next, open the Custom Level option; in the Settings box, scroll down to the Scripting section. Click Disable under "Active scripting" and "Scripting of Java applets." Click OK, and then click OK again.
Explanation
Microsoft has issued a patch almost a week after a vulnerability was revealed in Internet Explorer that would allow hackers to gain access to someone's cookies and expose the sensitive information they contain.
The exploit was discovered last week and reported publicly rather than directly to Microsoft. At the time, the software giant advised customers to disable Active Scripting, to protect them from the Web-hosted and mail-borne variants of the vulnerability.
Microsoft says the patch released Wednesday represents a fast turnaround by its security team.
"The vulnerability was publicly disclosed by someone who discovered the vulnerability on Nov. 8, which was extremely irresponsible," said a Microsoft representative. "The immediate action that we took was to issue a work-around so that system administrators could protect themselves, and a patch was issued yesterday."
The high-risk vulnerability in IE 5.5 and 6.0 allows malicious code to gain unauthorized access to the cookies that are used to customize and retain a site's setting for a customer across multiple sessions. Because some e-commerce Web sites use cookies to store sensitive information about consumers, it is possible that personal information could be exposed through the software hole.
"It is a serious issue--people have always been worried about cookies, but have never considered that someone else could use the information from a Web site that they run," said Mark Read, security analyst at MIS Corporate Defence Solutions.
The vulnerability came shortly after security flaws were found in Microsoft's Passport authentication system, causing the software maker to remove part of the service from the Internet. The privacy breach in Wallet, a Passport service that keeps track of data used by e-commerce sites, potentially exposed the financial data of thousands of consumers, undermining the company's recent efforts to convince people that it is serious about security.
Read said he thinks it unlikely that the privacy policies of e-commerce sites will allow customer credit card details to be displayed as cookie information, but there is the potential for hackers to use the information to order goods online.
Cookies are text files, saved on a computer hard drive as a unique reference for identifying individual customers. "There is no easy way to get around cookies, as there needs to be some way of placing a unique identifier on a computer to say 'this is me'--the only alternative is digital certificates," said Read.
The exploit was discovered last week and reported publicly rather than directly to Microsoft. At the time, the software giant advised customers to disable Active Scripting, to protect them from the Web-hosted and mail-borne variants of the vulnerability.
Microsoft says the patch released Wednesday represents a fast turnaround by its security team.
"The vulnerability was publicly disclosed by someone who discovered the vulnerability on Nov. 8, which was extremely irresponsible," said a Microsoft representative. "The immediate action that we took was to issue a work-around so that system administrators could protect themselves, and a patch was issued yesterday."
The high-risk vulnerability in IE 5.5 and 6.0 allows malicious code to gain unauthorized access to the cookies that are used to customize and retain a site's setting for a customer across multiple sessions. Because some e-commerce Web sites use cookies to store sensitive information about consumers, it is possible that personal information could be exposed through the software hole.
"It is a serious issue--people have always been worried about cookies, but have never considered that someone else could use the information from a Web site that they run," said Mark Read, security analyst at MIS Corporate Defence Solutions.
The vulnerability came shortly after security flaws were found in Microsoft's Passport authentication system, causing the software maker to remove part of the service from the Internet. The privacy breach in Wallet, a Passport service that keeps track of data used by e-commerce sites, potentially exposed the financial data of thousands of consumers, undermining the company's recent efforts to convince people that it is serious about security.
Read said he thinks it unlikely that the privacy policies of e-commerce sites will allow customer credit card details to be displayed as cookie information, but there is the potential for hackers to use the information to order goods online.
Cookies are text files, saved on a computer hard drive as a unique reference for identifying individual customers. "There is no easy way to get around cookies, as there needs to be some way of placing a unique identifier on a computer to say 'this is me'--the only alternative is digital certificates," said Read.
Comment