Microsoft advises IE Explorer 5.x or IE 4.X users to upgrade immediately

If you can't upgrade than disable code execution features of old browsers immediately
02-17-2004 6:19:21 PM CST - By Paula Rooney, CRN

Microsoft is advising customers to move to Internet Explorer 6 Service Pack 1 and more recent patches following the leak of Windows NT and Windows 2000 source code to the Internet last week. While downplaying the potential for hackers to uncover new vulnerabilities in Windows by having access to the source code, one top Microsoft Windows executive said during a monthly security briefing on Tuesday that customers using IE 5.x or IE 4.X versions should quickly download the latest IE code to protect their networks. "Most of IE code is what was leaked," said Chris Jones, corporate vice president in the Windows Core Operating System Division, about the NT 4.0 and Windows 2000 code that leaked. "We don't believe [customers will be affected] so as long as they're current on the latest versions of IE. They need to move to IE 6 and security patches and service packs." IE 6.0 Service Pack 1 was released during the fourth quarter of 2002 and is currently integrated into Windows XP Service Pack 1 and Windows Server 2003, Microsoft executives said. Jones also advised customers to access the latest security fixes and patches to address critical and important Windows and IE vulnerabilities, including a significant release earlier this month.

During the monthly security Webcast on Tuesday, Jones and Mike Nash, Microsoft's corporate vice president of the Security Business and Technology Unit, acknowledged Microsoft is actively investigating reports published over the weekend about a new IE vulnerability identified as a result of the leaked code. Microsoft is confident that its own engineering staff has uncovered a good amount of the vulnerabilities, but the executives allowed for the possibility that there could be more IE 5.0 code that hackers could exploit. "We have done source code inspection, but we are doing due diligence," said Jones, noting that one of the IE vulnerabilities discussed over the weekend--in the Windows 2000 Service Pack 1--was already fixed by Microsoft in IE 6.0 Service Pack 1. Microsoft's security executives also advised enterprise customers that are still running IE 5.5, IE 5.0 or IE 4 to disable code execution features if they don't move to IE 6.0 Service Pack 1and patches. "We designed in security zones so [customers] can enable or disable browser features," Jones said during the one-hour Webcast. "I can set up Internet Explorer 4 and higher to not allow scripting or controls or other advanced technologies [to execute on IE]." ...continued....

http://www.crn.com/sections/BreakingNews/dailyarchives.asp?ArticleID=48010