IE Flaw Puts Windows XP SP2 At Risk

Zigor writes "CNET is reporting that a new flaw has been discovered in Internet Explorer that could enable a remote attack on systems running Windows XP with Service Pack 2, eEye Digital Security has warned. The discovery of this IE flaw comes just over a month after Microsoft issued a cumulative patch addressing three vulnerabilities for IE. The new IE flaw also adds to another vulnerability, discovered last month, that affects systems using Windows XP SP2."

The Real News

[TheRaven64]

I think the real news is not the fact that there is a new vulnerability, but that (from the second link) there are still 12 unpatched vulnerabilities allowing remote or arbitrary code execution found by one organisation. The oldest of these was reported in March.

Re:Most Will Agree...But No...

[baadger]

This has been discussed before and seems to start flamewars.

Yes there is a way to remove the IE engine from Windows 2000's installation files (and indeed integrate IE6 into them, since 2000+SP4 comes with IE 5).

The method of doing so is here. However it breaks things such as Windows help, Windows Update and lots of miscellaneous parts of the OS. For me atleast, it made the OS almost unbareable, introducing alot of annoyances. Although to be fair, I followed the post-install instructions...in theory, pre-install removal should be smoother.

Re:Most Will Agree...But No...

[GlassUser]

You should consider the Microsoft Baseline Security Analyzer. It will scan your computer (hell, it will remotely scan all the computers on your domain if you want), tell you what you have or don't have, and give you links to the download.

Re:Open source enhances security of MSFT's custome

[HerculesMO]

I mentioned it in another article, but the key for Linux to breakthru to the desktop market is not for widespread adoption by corporate customers, it's just simple, plain old, EASE OF USE.

I'm a pretty experienced computer user, EX-Windows developer (networking now), MCSE and while I can install Linux and get around it, I don't have a clue of an idea how to do a lot of things, including at times, install software (though I've figured that out with yum and rpm haha!). Either way... until Linux offers the eyecandy that OS X does, with the compatibility that Windows offers... it will still be the DESKTOP choice of nerds.

I'm waiting for the next version of KDE for some improvements but in reality, I think there's a lot more to be done at even a kernel level to make some things more idiotproof.

Re:Most Will Agree...But No...

This is so easy, why make it so hard?

Turn off ActiveX, infact turn off everything in IE (scripting, install, etc) in the "internet" zone.

Now, the easy part: add microsoft.com to the "trusted sites". In fact, if you surf to the windowsupdate site with activex turned off you get the message of exactly what to add to "trusted sites".

Sleep easy knowing that (a) windows update works (b) nothing else works. Happyily use Mozilla for your web browsing.

Re:You're kidding!

Indeed. The proper title would be: "IE puts Windows at risk".

Ditch IE, and all the spyware and other crap stops being an issue. I see so much people arguing over which spyware scanner is the best, like if it's a normal thing to have to scan your system for spyware everyday in the first place. Just like people arguing over the best tire repair kit, seemingly thinking it's normal to have a flat tire everyday.

Don't use IE (lots of alternatives, including firefox and opera), and all these scanners will find is cookies (unless you run those hot_naked_girls.jpg.exe attachment everytime you get one or such).

Even IE on XP SP2 fully locked down or on Win2003 (and without MS' crappy JVM) gets nailed pretty bad if you visit a bad site. Sometimes the flaws are left unpatched for all too long, which forced us at work to block all IFrames on any webpage at the firewall for a long time, rendering a lot of entire websites useless (you'd only get a blank page).

And don't give me the "I never get nailed for I only visit reputable websites" - because even those can, and it has happened before in various ways, like infected ad carriers, which are displayed on hundreds of reputable sites.

Most MS products aren't quite as bad as most people tend to make it here on slashdot, but IE is definately the worst piece of shit I've EVER used from any company - ever. If you use it, you're guaranteed it'll trash your PC - have fun reformatting every week!

At least they are learning, this time from linux

[linumax]

At least they are learning ... (User Account Protection)

Over the last several years, a number of viruses and worms have been directed at Windows. These attacks have cost our customers, both in the enterprise and home environment, significant amounts of money to remediate. Additionally, a variety of malicious software, especially SpyWare, is being installed or launched by unsuspecting users. Malicious software is even being built into otherwise useful and seemingly innocuous software.

In both cases, our consumers' faith in Windows as a secure platform has been shaken. This software can compromise the integrity of the operating system and permit unauthorized access to a user's private data. The perception is that users of Macintosh or Linux do not suffer from this vulnerability as applications run as a limited user by default and do not have sufficient privileges to infect the system. Applications only run with additional privileges if the administrator explicitly chooses to do so and provides the necessary authorization.

Real Comparison of IE and Firefox

[Hamfist]

Secunia has very informative pages about the relative security of IE and firefox.

Firefox

IE

The problems with firefox compared to IE are:

IE bugs are more frecuently critical
IE critical bugs take longer to patch
Fully patched IE is less secure than Fully patched Firefox