Scallywags are using an unpatched vulnerability in an ActiveX component to distribute malware, Microsoft warned on Monday. The development adds to already pressing unresolved Internet Explorer security bug woes. No patch is available for the Office Web Components ActiveX security hole, although there are workarounds which can be …
I love it - "Swiss cheese browser gains extra hole" - that made my day. Quick, someone pass this to hillary.
Limited User Account
If you haven't already done so, it might be a good time to consider running XP as a Limited User. It only takes a few minutes to set up and it is one of the most important security precautions you can take. It's no magic bullet but it does make life an awful lot harder for the bad guys. If you need further convincing, check out:
Tux, because my daughter requested that I reinstall Linux yesterday so she could run some old Windows 95 games under Wine. Installed Linux Mint so that it could run directly off the Windows partition. So far, so good.
Delving a Little Deeper into Pandora's Box of Immaculate Delights
"Nonetheless, the current outbreak of unpatched ActiveX bugs has prompted some security watchers, including the SANS Institute's Internet Storm Centre (here) and F-Secure (here), to advise punters to consider using alternative browsers in preference to Internet Explorer. "
It is not a browser bug, it is a Private Pirate Trojan for Entering Systems Operations with Source Core Controls. And MSHacked with Virtual Control/Thought Projection and Realisation. It would then make them a Mammoth Open Source Tool of Printed Cash for Free EntrePreNeuReal Distribution...... is One Option Available in the AIdDerivative Virtual Futures Market.
And now for something completely different...
a security hole in IE...
What a shock!
Vulnerabilities in IE exploiting ActiveX? Really? Surely not?
As so many times in the past, a partial solution (as your story points out) is to use one of the many free alternatives to Internet Explorer (plus, of course, patching and hardening the hell out of WinXP).
Or, of course, a better solution is to use one of the alternatives to Windows such as a Mac or Linux.
SANS Twitter feed got this early
SANS ISC has an excellent Twitter feed that got word of this flaw out at 22:48 UTC yesterday. Well worth picking up the tweet if you have responsibilities for squashing these types of bugs: http://twitter.com/sans_isc_fast
Maybe Hillary Clinton and Pat Kennedy need to look into this...
Firefox on the corporate/government network looks more and more appealing...
Good advice. Unless of course you're a Microsoft shop and have installed some of their software that requires the local user to have administrative privileges on their PC....
Been there, tried that, got my head handed to me on the proverbial platter.
Now go back to your Security Awareness class.
IT depts can do whatever they want. It might however make sense for some El Reg readers to consider changing to LUA on their home XP machines. Improved security for zero cost ? Sounds like a win to me.
Now go back to your Cynicism 101 class.
I can't believe...
There are really people out there that still run ActiveX?
Oh wait, right. You disable it and disable it, and every time you update something on your system its magically reenabled again. Sorry, my bad.
@ Toastan Buttar
"IT depts can do whatever they want"
Really? Wow. If you work in an IT department I hope to never have to work in that organisation.
Now go back to your day job.
Too many now
This gets to be beyond the funny joke.
Mozilla must launch program to help user stop IE before it starts as part of security suite, or uninformed user will accidentally use it and have their bank stolen.
Why IE developers not prosecuted for all this?
@ Toastan Buttar
Well said only 3 out of 500 desktops here have admin rights. I always run XP with restricted rights most apps don't require admin rights or just a minor permissions tweek to get them working. If you must then use 'runas' to run an app as an admin or login as an admin but don't browse the internet while you are.
Oops-as bad as Firefox's latest cockup...
SBerry has discovered a vulnerability in Mozilla Firefox, which can be exploited by malicious people to compromise a user's system.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 3.5. Other versions may also be affected
Solution: Do not browse untrusted websites or follow untrusted links. <Doooh>
Quickly, let's all move to the "secure" Firefox browser [all of the cool kids are using it}! Bwahahahaha
Pray tell what MS software *requires* Admin? Typically most software that /appears/ to require admin needs little more than relaxed permissions on a few reg keys or a folder or two.
All my users are running as User, they don't even get to be power user on their own machine. No print driver installs, no changing the screen resolution, nothing administrative. I've had to loosen a few registry and folder permissions for AutoCAD and some other software but I never had a problem with Office 97. Haven't run any Office version since then and OpenOffice needed no special tweaks at all.
In a friends office I administer the users needed local admin to run QuickBooks and that is reason enough that I tell everyone that QuickBooks is the worst designed piece of software I've ever encountered. I believe they've now addressed that in the most recent version.
Old fart is old
> "IT depts can do whatever they want"
> Really? Wow. If you work in an IT department I hope to never have to work in that organisation.
FWIW, I'm a software engineer for a multinational company. Our IT is outsourced to a, well....different multinational IT group. Our developer machines are almost entirely Windows XP and user privileges are tied down pretty firmly by that IT group (i.e. even developers don't have admin rights on Windows) . Personally, I think it's a Good Thing. To a limited degree, I apply the same policies at home. It works well for me and I hope I've given others a friendly tip to enable them to be that little bit more secure.
> Now go back to your day job.
Happy to. I like my job. Do you ?
I second that. I recall getting some troublesome apps from Adobe to work that way. A good practice, though hard work, is to repackage the software for automated deployment, correct perms guaranteed that way.
Has anyone ever discovered someone who says 'Bwahahahaha' who isn't as thick as a brick?