Microsoft emergency fix kills bugs in IE, Visual Studio
Microsoft issued two emergency updates on Tuesday to fix critical security bugs that leave users of Internet Explorer and an untold number of third-party applications vulnerable to remote attacks that completely commandeer their computers. Most of the vulnerabilities are located in Microsoft's ATL, or Active Template Library, …
It is both reassuring and (slightly) amusing that Microsoft considers (in this COM and .Net ridden time) that the good old flowchart is the clearest and easiest way to ask yourself a few questions and determine if some code is affected by the KillBit bug being patched - nice one Redmond, glad to see sense for once prevailing :-)
If only the rest of your gang could see how to use technology sensibly and appropriately 8~| it could do wonders for your users, future products and OSes.
The page I'm referring to is this one
http://msdn.microsoft.com/en-us/ee309358.aspx
Like installing a .NET Firefox plugin that brings the IE InsEcurity to the Fox. (installed by the .NET framwork 3.5)
Plugin that cannot be uninstalled.
I bet they did not kill this one.
Looking forward to the updated fix to fix the bugs in the earlier fix. Wouldn't it be easier if you just stopped using activex?
That is the fault of FF I am afraid. Why did it let something get installed without explicit user consent? That is a MASSIVE security hole.
And this plug-in is for all users - so it should have demanded explicit consent from and Admin user.
Oh, wait, I forget; Windows user almost always run as Admin.
----
Plugin that cannot be uninstalled.
----
Yes it can, MS released a patch that enabled you to uninstall (rather than just disable) that plug months ago - please try to keep up.
Granted, putting it on there in the first place was shonky as hell behaviour but that's a different issue entirely.
"If you're using an ActiveX control that loads in an application other than IE, there's still the very real possibility that it has been poisoned by Microsoft's ATL and isn't fixed by these updates, said Ryan Smith, one of the researchers who discovered the killbit-override bug."
Sort of... If you are using an ActiveX control that used the previous version of ATL, then both you and IE are vulnerable until the author fixes that ActiveX control. In mitigation, the exploit code has to be already on your machine in order for it to be executed, unless the container application will happily download code from arbitrary locations and run that.
And only a complete muppet would design anything like *that*.
Sign up, sign up for The Register's weekly IT security newsletter - click here
