Imhotep
Sun Apr 02 16:01:25 CDT 2006
Patrick Dickey wrote:
> Imhotep wrote:
>> UPDATE: Hundreds of malicious Web sites are attempting to exploit the
>> most critical of two flaws announced last week in Microsoft's browser,
>> convincing two companies to release workarounds late Monday to head off
>> the threat.
>>
>>
http://www.securityfocus.com/news/11384?ref=rss
>>
>> Im
>
> Here is ISC's take on the temporary patches... Source :
>
http://isc.sans.org/diary.php?date=2006-03-28
>
>> Temporary Patches for createTextRange Vulnerability
>> Published: 2006-03-28,
>> Last Updated: 2006-03-28 18:26:03 UTC by Johannes Ullrich (Version: 1)
>>
>> Eeye released a temporary patch for the current createTextRange
>> vulnerability. The patch can be found here:
>>
http://www.eeye.com/html/research/alerts/AL20060324.html. A second
>> patch has been made available by Determina.
>>
>> At this point, we do not recommend applying this temporary patch for a
>> number of reasons:
>>
>> The workaround, to turn off Active Scripting AND to use an alternative
>> browser is sufficient at this point.
>>
>> We have not been able to vet the patch. However, source code is available
>> for the eEye and the Detmina patch (for Determina: the source is part of
>> the MSI file. for eEye: The source code is available as a seperate file)
>>
>> Exploit attempts are so far limited. But this could change at any time.
>> Some specific cases may require you to apply the third party patch. For
>> example, if you are required to use several third party web sites which
>> only function with Internet Explorer and Active Scripting turned on. In
>> this case, we ask you to test the patch first in your environment. You
>> may also want to consider contacting Microsoft.
>>
>> We do suspect that Microsoft will still release an early patch given the
>> imminent danger to its customers from this flaw. As stated by the company
>> about two years ago, patches can be released within 2 days if needed.
>> Microsoft has honed its patching skills from numerous prior patches. At
>> this point, Microsoft suggested that the patch will be release no later
>> then the second Tuesday in April. Based on prior public commitments, we
>> do suspect that Microsoft will issue the patch early once they are
>> convinced that customers require the use of Internet Explorer in
>> production environments.
>>
>> Please let us know about issues (or successful installs) of either patch.
>> We will summarize issues here.
>>
>>
>
> This is one site that I do trust with my security. If they say don't
> use IE at all, then I won't use it. If they say follow Microsoft's
> advice, then that's my recommendation. And, for the people who will say
> that they are a "Microsoft Puppet", they were extremely critical of how
> Microsoft handled the WMF vulnerability. Just go back through their
> archives and look
...well, if you are comfortable with it...go with it,,.
> Patrick.
>
> P.S. Nice false follow-up. It almost tricked me into not being able to
> post my reply.
Patrick...What are you trying to say?????
Imhotep