Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Critical Microsoft Hole

Posted by michael on from the your-daily-dose dept.

gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

3 of 597 comments (clear)

  1. Re:Not true... by kalidasa · · Score: 1, Offtopic

    ...you could run it on Solaris too.

    What, does the Solaris Ocean do something to prevent MS operating systems from sucking? Man, that's wild.

    (Gratuitous Lem joke)

  2. Re:WTF ? by Violet+Null · · Score: 0, Offtopic

    The OP is +5 insightful, and the parent is 1, unmoderated? Mod parent up.

  3. Re:I realize most /.ers use IE, but... by Dog+and+Pony · · Score: 2, Offtopic

    Because Opera is not evil, just Norwegian? ;-)

    I just noticed that Opera 7 is out in a Beta. I think I'll go give it a spin right away...