Microsoft on Tuesday plans to release updates patching three critical Windows security vulnerabilities, two of which are already under attack. One of the updates plugs a hole in an Internet Explorer component that handles online video. Hundreds of thousands and possibly millions of websites - mostly catering to Chinese-speaking …
... what Microsoft has called a "browse-and-get-owned" experience ...
Everything's an experience for these people.
need to disable them later?
Question, do you need to "disable" those fix-it workarounds before installing the patches next Tuesday? I remember I enabled the other DirectShow workaround .msi and it said the "impact" of the workaround was that I could no longer stream any Quicktime content in my browser, but I still could so I wonder if it actually did anything.
RE: Need to disable them
The problem lies in that blurry line that exists between Windows and the Browser. From what I can gather, the code running the video in your browser, now, is the browser-intended plugin - just like the equivalent plugins that exist for Firefox and whatnot. That code is unaffected by this flaw. (To quote the advisory: "there are no by-design uses for [the affected] ActiveX Control in Internet Explorer"). The code that IS affected - while no longer used by the browser - does seem to be used by Outlook and Outlook Express. Click a link in an HTML mail, and (if your default browser is Internet Explorer), then Explorer will launch using the old code, instead of it's plugin.
It's another exploit of the 'when is any part of Windows not actually the browser', vaguenees, that has led to Microsoft building in this incredibly byzantine series of 'zones' of execution, and multiple copies of functionality, that do the same things, to run in different zones (a lot of 'code reuse' in Windows division, these days, is done using the Ctrl-C and Ctrl-V keys).
Certain applications are capable of browser-like behaviour, which shouldn't actually be *browsing,* when exhibiting these behaviours, or running in these zones. The flaws arise when attackers find a way of carrying a mode of execution from one application and zone, through to the browser, and thereby manage to use a copy of the code in a zone it shouldn't be running in.
Billions of dollars, this has cost them, to fix. All I can say is, that this is an awfully expensive approach to letting users email funny videos, of cats, to each other.
@Daniel 1: But cheap compared to losing
a cut and dried anti-trust case don't you think?
I've always been of the opinion that the whole integrated browser thing was nothing but a finely tuned dodge of what should have been the Netscape anti-trust case against MS. MS was losing the browser war with Netscape UNTIL they bundled it into Windows. Next thing you know IE has market share. But they had earlier agreed not to bundle applications as part of an earlier anti-trust case. Netscape sued. Next thing you know, the browser is being integrated into the OS "to improve the user experience" and coincidentally, moot a lawsuit.
MS only said one true thing during the entire court case, but that one true thing was enough to get them out of it: By the time the case was being argued, it was no longer about protecting the consumer, it was about the government taking control of the OS for its purposes. I wish I could wish a plague on both their houses, but these days that pretty much covers all houses.