Any apps that are IE6-specific are certain to be very, very old. At some point you have to lose sympathy for the customers who refuse to update. Unfortunately, MS is committed to support IE6 well into 2014
Private exploits could affect IE7 users on Vista or even IE8 users on XP, but not if they activate DEP. If you activate DEP even XP users are protected. IE8 users on Vista and Win7 are effectively protected by DEP/ASLR.
So, in effect, if you update even just to year-old technology you're protected.
If the user is on Vista or Win7 they'll have to disable protected mode as well in order for the exploit to be able to do anything meaningful.
So if a user running IE6 on XP, who doesn't enable DEP gets exploited, who is really to blame? This is an ancient configuration and Microsoft has, for a long time, provided products and technologies to address the problems in it.
You do realize that IE7/Vista is not (by default) vulnerable to the Aurora attacks, don't you? So this incident isn't really a lesson for them to switch.
Perhaps you can get them to use Chrome. Google's a real company after all.
Schmidt wasn't just "a former Bush administration official," he was the first cybersecurity czar, appointed shortly after 9/11 and contributed to the National Strategy to Secure Cyberspace. I suppose they didn't get it right the first time, but things will be different now.
Don't let Obama off easy on the "turf wars" thing. He specifically promised multiple times in the campaign to hire a security czar who would report directly to him and have real authority.
For months nobody would accept this position because it was set to report both to the National Security Council and National Economic Council and have no budgetary authority. Now it seems that he will report only to the National Security Council, but this still breaks Obama's promise, although this is hardly the only time he tossed aside a campaign promise.
This is excellent point. Recall that the resistance to VB.NET in the VB community was immense, as it introduced significant changes. With time (and the certainty that things were changing whether they liked it or not) VB programmers seem to have moved on.
If it's really over 100,000 sites with the same attack then there's something obvious they have in common, like the same PHP/MYSQL library, and it has a predictable vulnerability in it.
FAQ for HTML Component Handling Vulnerability - CVE-2009-2529
If I use Firefox, which Internet Explorer update do I need to install? If a computer system is configured for Automatic Update, the correct update will be downloaded and made available for installation depending on the Automatic Update configuration. In the event that a computer system is not configured for Automatic Update, users should verify which version of the Windows operating system and Internet Explorer is on their system and download the appropriate update.
If I install this security update, do I need to disable the Windows Presentation Foundation Plug-in in Firefox to be protected from this vulnerability? No. Customers who have installed the security updates associated with this security bulletin are protected from this vulnerability.
If I have not yet applied this security update, how do I disable the Windows Presentation Foundation plug-in in Firefox? If you have not yet applied this update, you can disable the Windows Presentation Foundation plug-in in Firefox to block this vulnerability. To do this, launch the Firefox browser, select the Tools pull-down menu, and then click Add-ons. Select the Plugins icon at the top of the Add-ons window. In the list of Plugins, select Windows Presentation Foundation 3.5.30729.1 and click Disable.
If I uninstall the.NET Framework Assistant extension, does it disable or remove the Windows Presentation Foundation plug-in? If the.NET Framework Assistant extension is uninstalled it does not disable or remove the Windows Presentation Foundation plug-in. The.NET Framework Assistant and Windows Presentation Foundation plug-in are controlled through different screens in the Firefox Add-ons management window.
I know I didn't intentionally install most of these, and the Acrobat and Windows Media Player ones are, I believe, the only ones I specifically installed or agreed to.
Recent versions of the Windows Presentation Foundation plug-in have enable/disable, so that can't be the reason for it.
I stand by my subject line: Mozilla is being inconsistent here.
As I said elsewhere, a lot of plugins seem not to report their version information. Why don't you disable them too?
According to your plugin checker the following plugins on my system don't report version information:
Java(TM) Platform SE 6 U13 Java(TM) Platform SE binary
Microsoft Office Live Plug-in for Firefox Office Live Update v1.4
Java Deployment Toolkit 6.0.150.3 NPRuntime Script Plug-in Library for Java(TM) Deploy
ActiveTouch General Plugin Container ActiveTouch General Plugin Container Version 104
Adobe Acrobat Adobe PDF Plug-In For Firefox and Netscape
Microsoft® Windows Media Player Firefox Plugin np-mswmp
Google Update Google Update
iTunes Application Detector iTunes Detector Plug-in
Slashdot Mirror
Microsoft makes critical security updates available even to users it knows are pirating the operating system.
And it's not because they're being nice. It's because it's bad for everyone to have unpatched users out there.
IIS is an HTTP server. It has no ties with IE.
Any apps that are IE6-specific are certain to be very, very old. At some point you have to lose sympathy for the customers who refuse to update. Unfortunately, MS is committed to support IE6 well into 2014
The public exploits only affect IE6 users on XP.
Private exploits could affect IE7 users on Vista or even IE8 users on XP, but not if they activate DEP. If you activate DEP even XP users are protected. IE8 users on Vista and Win7 are effectively protected by DEP/ASLR.
So, in effect, if you update even just to year-old technology you're protected.
I should have added that "Dries" is pronounced "Dreez" (rhymes with "cheese")
He's just "Dries" like everyone knows that "Linus" is Linus
I think the last name is pronouned "Buy-tart", emphasis on the Buy.
If the user is on Vista or Win7 they'll have to disable protected mode as well in order for the exploit to be able to do anything meaningful.
So if a user running IE6 on XP, who doesn't enable DEP gets exploited, who is really to blame? This is an ancient configuration and Microsoft has, for a long time, provided products and technologies to address the problems in it.
You do realize that IE7/Vista is not (by default) vulnerable to the Aurora attacks, don't you? So this incident isn't really a lesson for them to switch.
Perhaps you can get them to use Chrome. Google's a real company after all.
Schmidt wasn't just "a former Bush administration official," he was the first cybersecurity czar, appointed shortly after 9/11 and contributed to the National Strategy to Secure Cyberspace. I suppose they didn't get it right the first time, but things will be different now.
Don't let Obama off easy on the "turf wars" thing. He specifically promised multiple times in the campaign to hire a security czar who would report directly to him and have real authority.
For months nobody would accept this position because it was set to report both to the National Security Council and National Economic Council and have no budgetary authority. Now it seems that he will report only to the National Security Council, but this still breaks Obama's promise, although this is hardly the only time he tossed aside a campaign promise.
This is excellent point. Recall that the resistance to VB.NET in the VB community was immense, as it introduced significant changes. With time (and the certainty that things were changing whether they liked it or not) VB programmers seem to have moved on.
If it's really over 100,000 sites with the same attack then there's something obvious they have in common, like the same PHP/MYSQL library, and it has a predictable vulnerability in it.
I'm sure all of them end up with a pirated copy of XP before too long.
I was doing this with Cliff Notes 35 years ago
MS09-054
FAQ for HTML Component Handling Vulnerability - CVE-2009-2529
If I use Firefox, which Internet Explorer update do I need to
install?
If a computer system is configured for Automatic Update, the
correct update will be downloaded and made available for installation depending
on the Automatic Update configuration. In the event that a computer system is
not configured for Automatic Update, users should verify which version of the
Windows operating system and Internet Explorer is on their system and download
the appropriate update.
If I install this security update, do I need to disable the Windows
Presentation Foundation Plug-in in Firefox to be protected from this
vulnerability?
No. Customers who have installed the security updates
associated with this security bulletin are protected from this
vulnerability.
If I have not yet applied this security update, how do I disable the
Windows Presentation Foundation plug-in in Firefox?
If you have not yet
applied this update, you can disable the Windows Presentation Foundation plug-in
in Firefox to block this vulnerability. To do this, launch the Firefox browser,
select the Tools pull-down menu, and then click Add-ons. Select
the Plugins icon at the top of the Add-ons window. In the list of
Plugins, select Windows Presentation Foundation 3.5.30729.1 and click
Disable.
If I uninstall the .NET Framework Assistant extension, does it disable or .NET .NET Framework Assistant and
remove the Windows Presentation Foundation plug-in?
If the
Framework Assistant extension is uninstalled it does not disable or remove the
Windows Presentation Foundation plug-in. The
Windows Presentation Foundation plug-in are controlled through different screens
in the Firefox Add-ons management window.
Use this link instead of the one in the parent. I updated to indicate that Mozilla has unblocked.
Mike Shaver has posted a blog explaining that they are unblocking the Microsoft code because Microsoft has clarified their advisory.
Microsoft has updated their advisory and blog on the matter to address Firefox
later in the day I have asked Microsoft for their explanation of all this. No answers yet. Probably none till tomorrow.
I know I didn't intentionally install most of these, and the Acrobat and Windows Media Player ones are, I believe, the only ones I specifically installed or agreed to.
Recent versions of the Windows Presentation Foundation plug-in have enable/disable, so that can't be the reason for it.
I stand by my subject line: Mozilla is being inconsistent here.
As I said elsewhere, a lot of plugins seem not to report their version information. Why don't you disable them too?
According to your plugin checker the following plugins on my system don't report version information:
Java(TM) Platform SE 6 U13 Java(TM) Platform SE binary
Microsoft Office Live Plug-in for Firefox Office Live Update v1.4
Java Deployment Toolkit 6.0.150.3 NPRuntime Script Plug-in Library for Java(TM) Deploy
ActiveTouch General Plugin Container ActiveTouch General Plugin Container Version 104
Adobe Acrobat Adobe PDF Plug-In For Firefox and Netscape
Microsoft® Windows Media Player Firefox Plugin np-mswmp
Google Update Google Update
iTunes Application Detector iTunes Detector Plug-in
See this screen shot.
Many of these have had vulnerabilities in the past.
I haven't talked to anyone at Microsoft. I'm just reading what they're putting out publicly.
Somewhat tangential to the subject: your plug-in check page showed a lot of my plugins as not reporting version information.
Is there a standard interface for this that many plugins are ignoring, or do you have to fish out version information from files?
Maybe your system can't work with it, but they do publish the file version information for this update.
BTW, I don't assume you lie, it's just that your argument doesn't make sense to me as you worded it. And in your own blog you state that "Microsoft is recommending that all users disable the add-on." From everything I've read from Microsoft this is an overstatement. They advised disabling the add-on as a mitigation mechanism for those who had not applied the patch.
Even so, why do you block patched systems?