Slashdot Mirror
Serious Security Flaw in MSIE 5.01, 5.5
Visit an attacker's webpage using Microsoft's browser on Microsoft's operating system, and the attacker can execute arbitrary code on your system with your full privileges. Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, so reading email from an attacker (opening attachments not necessary) also gives them full access to your machine. MSIE 5.5 is vulnerable, and MSIE 5.01 is vulnerable unless you've installed Internet Explorer 5.01 Service Pack 2. Read the
security bulletin
and download the patches. Discovery props to
Kriptopolis.
Just think of the following scheme: (If I understood correctly, it should be possible to create the following worm)
1) Send this worm to everyone in the address book using the randomly taken subject from the your previous emails.
2) Install timebomb into computer, which deletes all the files after few days
3) Send all your previously written emails to random recipients taken from the address book.
Worm would spread like a wildfire as the message does not look suspicious (it comes from a known sender and the subject is reasonamle as it has been used before by the sender). As no questions are asked from the user - all the outlook users reading the message would be affected.
Worm would be totally destructive, as all the files would be deleted.
Probably most damage would be done by sending the previous communication to random recipient. Just look into your sent messages folder and imagine what would happen if you would send the messages to random recipients taken from your address book.
Do you still have the gust to use Windows/IE/Outlook ?
- A.P.
--
* CmdrTaco is an idiot.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I find it odd that people are bashing MS because so many programs are using IE to render HTML.
Think about it. There is a standard way for any program to render HTML in a window. Instead of everyone reinventing the wheel, all a programmer has to do is create a COM object and display it in a window.
Of course, the average Slashdotter is using this as evidence that Microsoft is the tool of Satan and their buildings shall be razed and their children and their children's children unto the fifth generation shall be cursed and despised, etc.
Modularity is good. Standard ways of doing things is good. Code reuse is good.
Now, the fact that there is absolutely no way to replace IE with your web browser of choice is evil (despite the fact that email clients, HTML editors, conferencing software and whatever else can be easily replaced) and the fact that Microsoft is terminally unable to write a program that doesn't serve as a speedy means of either crashing the OS or inviting in unwanted network guests is also evil. So they are the tool of Satan and their buildings shall be razed and their children and their children's children unto the fifth generation shall be cursed and despised, etc.
On a side note, GNOME is doing the same thing. Any program can use gtkhtml to render HTML in a window. Evolution is using it to display email messages (sound familiar?), Red Carpet uses it for UI, and GNOME Help uses it to render content. IIRC, the plan is to eventually replace gtkhtml with Mozilla (which does a much better job of complying to standards and rendering documents than gtkhtml.
Microsoft already has a fix out. I think this bug was reported today. I'm impressed.
So many people here always scream that Open Source is better because you don't have to "wait for the service pack" in order to get fixes. Granted, the bug probably would've been found sooner if the source were open, but the fact that there is a fix out already is admirable.
I think this is going to be another long thread of unwarranted Microsoft bashing. You can bitch about the bugs in IE and it's security hazards, but if they get fixed this fast then it really detracts from your argument that Microsoft sucks. There have been security flaws found in Linux with a fix issued and instead of posts saying "Linux sucks, here's yet another security patch I have to add!" they're praising the community for getting a fix out so much faster than Microsoft would have.
--
As far as Wu-ftpd goes.. dude. Seriously. Use Proftpd. It's better anyway.
> If you want to make a constructive criticism, then you should have them rewrite the whole OS.
MS doesn't need to *rewrite* this stuff, not *really*, but initiating a large-scale security-oriented code audit of the entire text of their networking and web browser code is something that they could really stand to do, BEFORE they start thinking about windows xp or whatever. They certainly have the resources. How do you propose to get them the initiative? Cuz it's sure as hell not my problemNot a bad idea. Here's a better one. Two words: CODE AUDITS.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
YESS, it really kind of *is* an MS thing. Except for one vague memory or so of an incident involving a java hole, you just plain don't *SEE* security holes popping up with Netscape or Opera or Omniweb or really ANY browser except MSIE! *Netscape* got security right, and their software was AWFUL! But that there should be THIS many instances of hardware-access-level vulnerabilities in something meant to display web pages.. just. blah. it blows my mind.
--mcc
it is late and i am spastic and bitter
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
The problem with this is that this isn't just a Well, Now It's Over And We Can All Get On With Our Lives type thing. If this were an isolated incident, "Move on" would be good advice indeed; however, Microsoft is developing a literal track record when it comes to security vulnerabilities. Security holes in MSIE, SERIOUS ones, seem to be cropping up on the order of once every couple of months;
i can think of at least four times since MSIE 4 that ways for attackers to affect the contents of an MSIE user's hard drive have been discovered, and i haven't even been watching it closely.
Are you really sure that "forgive and forget" is a good idea?? Do you honestly think that this isn't going to happen again? Do you honestly think if people let this issue rest-- and they will-- that microsoft is going to change its ways on its own? It certainly didn't the LAST couple of times this happened.
Keep in mind these are the people that you're supposed to be buying an attempted NETWORK OS (windows xp) from in a year or so, and they can't pull off security in a passive web browser. XP involves the passing around of remote executable code, doesn't it? Don't you think some SERIOUS pressure needs to be brought to bear on microsoft until they take steps to ensure that the security issues in their browsers are dealt with, COMPLETELY?
I am a Mac OS X user, so i am not *too* worried about this, but i do use MSIE from time to time, and so i for one am extremely alarmed with microsoft's nonchalance with security issues. Microsoft seems to have no interest to bring these "technologies" (activex, for example) that seem to be causing the problems to the macintosh platform, and the Macintosh port of IE shares no codebase with the windows version, so i am not directly threatened; however i still feel somewhat insecure with using MSIE.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
-- Imagine how much more advanced our technology would be if we had eight fingers per hand.
Come on now BIND, wu-ftpd, and even sendmail get bashed regularly on slashdot (and rightfully so especially BIND). It's because of all the bashing that BIND9 was re-written from scratch.
Don't you remember the recent thread about BIND? Whenever a major security breach is discovered it gets covered on slashdot why should MS be immune?
War is necrophilia.
Well that's not what they testified to in court. Are you suggesting that the top brass on MS committed perjury?
War is necrophilia.
Foot-And-Mouth Believed To Be First Virus Unable To Spread Through Microsoft Outlook
Atlanta, Ga. (SatireWire.com)
Scientists at the Centers for Disease Control and Symantec's AntiVirus Research Center today confirmed that foot-and-mouth disease cannot be spread by Microsoft's Outlook email application, believed to be the first time the program has ever failed to propagate a major virus.
"Frankly, we've never heard of a virus that couldn't spread through Microsoft Outlook, so our findings were, to say the least, unexpected," said Clive Sarnow, director of the CDC's infectious disease unit.
The study was immediately hailed by British officials, who said it will save millions of pounds and thousands of man hours. "Up until now we have, quite naturally, assumed that both foot-and-mouth and mad cow were spread by Microsoft Outlook," said Nick Brown, Britain's Agriculture Minister. "By eliminating it, we can focus our resources elsewhere."
However, researchers in the Netherlands, where foot-and-mouth has recently appeared, said they are not yet prepared to disqualify Outlook, which has been the progenitor of viruses such as "I Love You," "Bubbleboy," "Anna Kournikova," and "Naked Wife," to name but a few.
Said Nils Overmars, director of the Molecular Virology Lab at Leiden University: "It's not that we don't trust the research, it's just that as scientists, we are trained to be skeptical of any finding that flies in the face of established truth. And this one flies in the face like a blind drunk sparrow."
Executives at Microsoft, meanwhile, were equally skeptical, insisting that Outlook's patented Virus Transfer Protocol (VTP) has proven virtually pervious to any virus. The company, however, will issue a free VTP patch if it turns out the application is not vulnerable to foot-and-mouth.
Such an admission would be embarrassing for the software giant, but Symantec virologist Ariel Kologne insisted that no one is more humiliated by the study than she is. "Only last week, I had a reporter ask if the foot-and-mouth virus spreads through Microsoft Outlook, and I told him, 'Doesn't everything?'" she recalled. "Who would've thought?"
Copyright © 2001, SatireWire
--
$ find
Ok, I did a fresh install of windows on a computer at work. Windows 98 first edition. I popped in the cd, the install ran, and in 30 minutes the computer booted and I went to the Windows Update site. Four downloads and two reboots later, I have a reasonably secure system with no known exploits. Full install, all fixes applied - less than an hour and a half.
This is a pretty useless argument. Atfer spending this amount of time with an install of Windows 98, adding the updates and rebooting a couple of times you have an OS installed. If I spent the same amount of time with a Red Hat 7 install and updates I have everything I need to get my work done. I have Emacs and and gcc andPERL and Apache and MySQL and OpenSSH and Abiword and Gnumeric and Netscape and Mutt, etc.
You have Windows, IE, Outlook Express and WordPad. Joy, just what the hell are you going to do with that?
You're comment about Windows being secure is true. On the other hand its' not like it does anything either. As soon as you install an FTP server, a web server, an RDBMS and a remote acces program you have the potential to get just as "owned" as any other OS.
What people are trying to say here is that making my email program execute code because I've got something showing in the preview pane is pretty damn dangerous. Yesterday, for the first time in my life, I recived an email that makes use of these fancy scripting features. Its' a piece of spam (which I signed up for) from the Ministry of sound with a link to their new TV ad and a little flash animation. Its' pretty cool but I'll live without it if that's the cost of not getting email that causes some trojan to be executed.
That is inaccurate. It's thanks to an object oriented operating system that we have this problem.
Not sure what OO has to do with it; the problem is a program that executes code recieved from the net without even asking. That's the problem. Let's hope KDE never does anything that silly.
--
--
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
I find that quite understandable. People who don't deal with Windows on a regular basis generally don't have very strong feelings about it. This makes it easy (and fun) to maintain an attitude of casual scorn and contempt toward that particular festering pile. When one is forced to use Windows, however, one's attitude unfortunately degenerates into pulsating screaming hatred.
Here's the translation for your average slashdotter
Originally posted: March 29, 2001
We would have told you earlier, but we were sharpening our throwing knives and trying to install "Unix" on our computers...
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer.
Let's see... IF I were running IE, then the Attackers^tm would be fiercely attacking me now and I wouldn't be reading this right now... but the translation is:
Who should read this bulletin: any of the sheeple that we have convinced to use our (superior) product.
Impact of vulnerability: Run code of attacker's choice.
So basically, this lets someone malicious tell your computer what to do.
Recommendation: Customers using IE should install the patch immediately.
So basically, this lets someone malicious tell your computer what to do.
El Karma: excelente(principalmente la suma de moderación hecha a los comentarios de los usuarios)
Their operating systems boast a superior UI, an extensive object-oriented architecture complete with distributed RMI, and run on a greater variety of hardware than any other system, including GNU/Linux.
NT has only taken market share from UNIX. (Which, as most of you are too ignorant to know, was a Big Bad Corporate OS in the 80s. Just like IBM was evil in the 80s. How things change... a few open-source UNIX-ripoffs later, and UNIX is considered "grassroots" by many people here, just like IBM is now seen in a similar light for their "heartfelt" support of Linux.)
They've also completely taken over the desktop market. Of course the roots of this monopoly are 20 years old, but they've only had a truly desirable product for about five.
I like NT. I wouldn't let it in my server room, but it makes a damn good workstation OS. I like its interface best of all I've tried. It has excellent hardware and application support. In addition to being a great development environment, it plays games and DVDs. And my UNIX boxes are never farther away than a telnet session.
MSFT has perhaps produced a greater volume of useful code in five years than anyone else ever has, and NT is still four times younger than UNIX. So I'm willing to forgive some bugs.
--
--
I like to watch.
--
--
I like to watch.
A good exercise would be to take NSA Linux and Mozilla and make them work under such restrictions. This might include managing the cache in a separate process with slightly different privileges. The cache manager needs to read and write the cache, but should never interpret the content. (Think of the cache as being managed by a built-in proxy server, while the main browser does no cacheing.) Configuration also needs to be done by a separate program and process, one that gets its input from the user, can't get input from the net, and can write the preferences files. This gets all the code that can write permanent files out of the main part of the browser.
Done this way, it doesn't matter if the browser code has security holes because the browser code is not trusted. The mandatory security protections of the OS prevent it from doing anything. This is the right way to do it, and the only one that will work.
Combine this new exploit with this old one that lets you read any file off someone's harddrive and I think Microsoft might be able to market these as .NET features.
-gerbik
The problem is that we cannot move on. There is no alternative. We have to use whatever Microsoft gives us and smile while they shaft us. IMHO that's what the anti-trust trial is really all about and not whether or not someone's ability to "innovate" is being stifled by goverment regulations. If their product was just so good that everyone chose it out of their free will, people would move on to competitors when something like this happens.
Netscape? Don't make me laugh. Mozilla? I like it, but it still crashes within 15 minutes.
But to be honest, a system is only as secure as the user or the admin sitting at it. Uneducated users are the most dangerous security hole there is. You can have the best security, the lest buggy code, but if you have a tool using the system you may as well go flush your hard worked over secuirty systems down the drain. Okay, that is expanding on the truth, but it's a frustration I feel every day.
I know we will see dozens of anti M$ bites, but really, who are we kidding? Security is not an easy thing and everyone gets it wrong at some point. I had a supposably secure Sun OS 0wnd by a script kiddie all because the damn admin wanted telnet open. What can you do if people wont take security seriously? I run a IIS webserver due to an app needing it and it has been attacked - it has stood up because I keep up with the lastest problems. You just have to do it.
You also have to realise security is tradeoff. I can guarenttee I could build you a Linux server so tight only the true elite would root it.... but how usuble will it be? Not very. The problem demonstrated here is that very tradeoff, MS wants usabliity, so do the unwashed masses. Makes it easy to exploit. Tighten it up and the unwashed wonder why they cant download their porn without some popup telling them that this download or link could be malicious and to proceed after the seven other warning they would get.
What's the solution in the end? Geeks like us educate the Great Unwashed maybe, I dont know. Certainly a different security paradigm than what Microsoft has.
"Old Rallydrivers never die - they just fail to book in on time"
> OK. My apologies. :)
:-)
:-)
OK. Let's say I remove this comment about the placement of your head.
You know, I just commented on your first sentence, and I must admit nor having read the rest of your post. So much of intellectual honesty. You were such an easy target...
> I would go into a long rant here about my personal belief that unweildiness of Mozilla
That would be interesting. I find mozilla code awful, and beleive that the original sin was to make 'dynamic' code with C++. When I look at the code, I pity them, as they took great amount of pain to code in C++ things that would have been natural with Objective-C. Of course, I am biased on this
Cheers,
--fred
1 reply beneath your current threshold.
> first off, Creating something like BIND is infinitely more difficult than something like MSIE--
Gently put your head out of your ass. You obviously don't know what you are talking about. Bind is a two-banana hack compared to MSIE. MSIE have about the same complexity as Mozilla. Ever looked at mozilla source code ? Ever tried to build it ? Now take a look at BIND source code. Build it. Draw you conclusion in term of complexity.
A BIND bug is very serious because it can compromise huge segments of the network. But people that run BIND know what they are doing (or should know). And there are alternatives.
A MSIE bug is very serious because it can compromise a huge number of individual hosts. Furthermore, people don't choose to run MSIE, they have to, or they just don't know that they are running it. And you can't remove MSIE from a windows machine.
So, IMNSHO, a MSIE bug is more serious than a BIND bug.
Cheers,
--fred
1 reply beneath your current threshold.
Then again, it wasn't CmdrTaco who posted this, but we're making strides.
I'm impressed with the comments I've seen moderated up so far. Usually stories like this are flooded with comments like "Microsoft sux0rz, this is why Open Source is better!"
Isn't it funny that when a bug is discovered in Microsoft software, it's a victory for Open Source, and when a bug is discovered in Open Source software, it's a victory for Open Source?
NO CARRIER
You are delusional.
Windows has existed in its present forms for about five years.
I presume you are judging the OS by the GUI. Windows NT version 3.1 was released on July 17, 1993. The GUI was different, but the architecure was there, care of David Cutler.
That was the release date. Microsoft recruited David Cutler in 1988, well before Linus started.
Superior UI? Look at the quality of window managers. I'm sorry, but Sawfish, Window Maker and Enlightenment all kick Windows' butt when it comes to utility and control. And themability makes them look good too.
OO Architecture? Um, I think you'll find Gnome and KDE are riddled with OO.
Greater variety of hardware? NT had x86, Alpha, MIPS, even PowerPC, but they're all unsupported now. The free OS's easily wipe microsoft's peachy behind with their portability and the number of actual ports. All of those above plus loads more.
They've had the desktop market since the PC clone became popular. There wasn't a real desktop market before this. They didn't take that from anyone.
Yes, NT is taking share from Unix. But the free OS's, chiefly Linux, along with the rise of the Internet, is challenging this.
MSFT has perhaps produced a greater volume of useful code in five years than anyone else ever has
No, they just keep re-releasing the same code with new bells and whistles. The bulk of the code has been made by other companies, later bought up by MS.
Perhaps you can tell I do not like MS. I grew up with MS and I used to love their products. I still like the style of their early manuals (when you got them). But maturity and familiarity have given me perspective. I think you need some too.
Yours Sincerely, Michael.
No, the shocker is that a Microsoft bug was posted on Slashdot with the (entirely unbiased comment I might add) phrase "patch now, patch now". For once, Slashdot is caring about those who view their site from the other side of the fence. Then again, it wasn't CmdrTaco who posted this, but we're making strides.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Comment removed based on user account deletion
Oh, and thanks to Microsoft innovation - you may remember this from the trial - the browser is integrated with the OS, [etc, etc]
That is inaccurate. It's thanks to an object oriented operating system that we have this problem. Ever heard of the term "reuse"? It's a feature, not a bug, that you can reuse components in various applications without having to rewrite them.
KDE would have exactly this flaw if the Konquerer component had this flaw and an e-mail reader used the component.
In short, I wish people would stop with the idiotic Microsoft bashing. All software has bugs. Let's fix it and move on.
--
Sometimes it's best to just let stupid people be stupid.
Special note of warning, the website has been more messed up than usual over the past few days, especially in trying to download the 5.01 sp2. I'm still trying to find the full package in one compressed file so that some folks can save the bandwidth.
My opinion: reports and pr to the contrary, the bit and piece auto install over the net is not more convenient. Especially when you have poeple mobbing sites for an update.
But if you are here reading this, you probably know this already.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
I don't know what the big deal is here. This has happened to many other browsers before, including older versions of IE. With new standards, scripting and virtual machine technologies being implemented in browsers continually, it is expected. It is a simple browser vulnerability, and that is all.
This is not new, if you read Bugtraq, or even Georgi Guninski's page, you will see this and many other exploits are a common occurance in many browsers. Even browsers that handle only plain html like Lynx have been proven vulnerable at times.
Since IE3, many vulnerabilities like this have popped up in MS's browser. IE3 was far worse, as both the Windows and Macintosh platform could both be explotited in terrible ways. Also, we can't forget the famous Netscape Brown Orifice exploit, which Netscape admittedly couldn't even fix in their 4.x series of browsers. I'm sure there are some fine exploits waiting to be found in the lesser used browsers too, but they are just far less reviewed by the security community.
Now I don't think its right that such vulnerabilities exist, but bugs will always be present in software. Internet Explorer just happens to use a lot of mixed technologies and therefore there are more ways for it to be exploited. This is nothing more than someone exploiting a vulnerable version of BIND or RPC. The only difference I find here is that Microsoft is involved, and thus makes a good sensationalist Slashdot target.
The clash of honour calls, to stand when others fall.
Below is the link to the explaination of said hack, that includes 'source' et al.
m l
http://lists.nat.bg/~joro/webctrl2.html
and the URL from ZDNet that linked to it.
http://www.zdnet.co.uk/news/2000/35/ns-17763.ht
Demonstration is available at: http://www.nat.bg/~joro/webctrl1.html
Workaround: Disable Active Scripting
Black and grey are both shades of white.
csh: explorer: command not found
oops... I'm not on Windows...
April Fools is coming!@!
Macroshaft Security Bulletin (MS01-069)
Patch Available to Improve Packet Pigeon Performance
Originally Posted: October 22, 1999
Summary
MacroShaft has released a patch to ensure delivery of packets via Packet Pigeon birds. This is long overdue and is a must secure vulnerability on all MacroTrash products.
Frequently asked questions regarding this vulnerability will always be laughed at MacroShaft and AntiOffline
Issue
The Packet Pigeons used in large cities were sometimes affected by those in the geriatric stages of their lives, as these 60+ year olds fed Packet Pigeons en route to their destinations causing a denial of service.
Affected Software Versions
- MacroShaft Windoze NV 4.0 Crashstation
- MacroShaft Windoze NV 4.0 Server
- MacroShaft Windoze NV 4.0 Server, Enterprise Crash Edition
- MacroShaft Windoze NV 4.0 Server, Terminally Ill Edition
Patch Availabilityhttp://download.some.0-day.warez.com/at/some/othe
http://download.some.0-day.exe.files.com/else/whe
(NOTE: MacroShaft really cares about it luzers.)
More Information
Please see the following references for more information related to this issue.
http://www.MacroShaft.org/cgi-bin/display?=%2edev
http://www.antioffline.com/scriptkiddiesoup.html
Microsoft Insecurity Advisor web site, http://www.wiretrip.net
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting MacroShaft Technical Support is available at http://support.macroshaft.and.all.of-its-h0es.com
Acknowledgments
MacroShaft acknowledges deran9ed/sil of AntiOffline for bringing this issue to our attention and we will up his p0rn quota to 2 gigs.
Revisions
THE INFORMATION PROVIDED IN THE MACROSHAFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROSHAFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, OR EVEN EXORTED INTO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MACROSHAFT CORPORATION OR ITS WHORES BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES TO YOUR PORN DIRECTORIES NOR PACKET PIGEONS, AND POKEMON, EVEN IF MACROSHAFT CORPORATION OR ITS H0ES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. PEOPLE OF GERIATRIC AGE SHOULD HAVE THEIR LICENSES REVOKE AND THROWN INTO LABS TO SERVE AS LAB MICE. AND IF YOU ACTUALLY READ ALL OF THIS THEN YOU MUST BE AS BORED AS WE WERE. ANTIOFFLINE RESERVES THE EXCLUSIVE RIGHT TO POKE FUN AT YOU, WITHOUT INDEMNIFICATION, OR GRIEVANCE TO YOUR PATHETIC COMPLAINTS. SOMEONE SHOW ME WHERE THE CAPS LOCK KEY IS!@!
(c) 2001 AntiOffline Corporation. All rights stolen. Terms of Use.
You have received this e-mail bulletin as a result of your moronic use of our Products. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to WE-PAY-NO-ATTENTION-TO-YOUR-MAIL@MACROSHAFT.ORG The subject line and message body are not used in processing the request, and can be anything you like.
For more information on the MacroShaft Security Notification Service please visit http://www.packetstorm.securify.com For security-related information. For MacroShaft products, please visit the MacroShaft web site at http://www.macroshaft.org/ more advisories like this can be found here
360 degrees of Karma
"Microsoft tested IE 5.01 and IE 5.5 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability." You are on your own.