Microsoft Security Advisory (2501696)

Discussion in 'other security issues & news' started by ronjor, Jan 28, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    Microsoft
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    http://blogs.technet.com/b/srd/arch...the-mhtml-script-injection-vulnerability.aspx
     
  3. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Thanks.:thumb: I've applied the MHTML lockdown workaround since I believe it won't have much of an impact for me...
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://www.computerworld.com/s/article/print/9206999/Microsoft_warns_of_new_Windows_zero_day_bug:
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I enabled the lock down of MHTML too, using Microsoft®Fix it.
    Better late than never, I suppose.
    MS Fixit.jpg
    Pretty easy, if it works, and the removal tool is right there as well.
    Enable/Disable buttons here.
    MS Fixit II.jpg
     
  6. arleetel

    arleetel Registered Member

    Joined:
    Apr 28, 2006
    Posts:
    14
    Hello,

    Thanks for the fixit, applied it but is this enough ?
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Is it enough?
    I figure it's better than it was without the fix. ;)
    Read the advisories and see what you think about the workaround.
    I'm sleeping at night, if you know what I mean. :)
     
  8. arleetel

    arleetel Registered Member

    Joined:
    Apr 28, 2006
    Posts:
    14
    Thanks for your reply.
    I must admit that I'm just a bit paranoia about security, scared to get the computer compromised (doing payments online). I did read all the advisories more than once actually, it says that the fixit disables ActiveX and Active scripting, if I understood everything correctly. Going further would probably be a bit much. I have UAC enabled as well.
    Occasionally I use Google Chrome as an alternative.:doubt:
    Regards.:)
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    From what I have read in the advisory, arleetel, the impact of workaround is that, "the MHTML protocol will be restricted to prevent the launch of script in all zones within an MHTML document. Any application that uses MHTML will be affected by this workaround. Script in standard HTML files is not affected by this workaround."
     
  10. arleetel

    arleetel Registered Member

    Joined:
    Apr 28, 2006
    Posts:
    14
    Thanks for the clarification Page42. I did read all that stuff, that means that my understanding was wrong. Why can't microsoft just apply a patch next week and solve the problem, as I understood (hopefully right this time) they will not do so.
    Regards.
    arleetel
     
  11. cm1971

    cm1971 Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    727
    I just applied the fix it. Thanks for the heads up.
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hello arleetel.
    Why can't MS just apply a patch, you ask?
    I'm thinking (just my opinion here) that their failure to release a patch is due to some combination of
    a) them not feeling that this vulnerability is dangerous enough or widespread enough, and
    b) the fact that they have already issued a fix that they believe is adequate enough for the time being.

    @ cm1971... :thumb:
     
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,049
    Location:
    USA
    It's my understanding they are going to patch this as part of this month's Windows Updates 3 days from now. Not bothering with the current workaround until the official fix is released. As for the delay I'm sure they need to do at least some testing to make sure it doesn't break anything more than possible.
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    You're probably right, though it would be pretty fast-acting on their part to issue an Executive Summary in late January and patch it in early February. That's the only thing that has me questioning the likelihood of a patch being released on the 8th. It would be great if they did, obviously.
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    They are patching it this Tuesday.

    http://www.neowin.net/news/patch-tuesday-ie-css-and-mhtml-fixes
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Not patched.
     
  17. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Hey MrBrian
    I didn't see it.
    :)
     
  18. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Microsoft Patch Tuesday Swats 22 Bugs, Misses MHTML Flaw
     
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,049
    Location:
    USA
    Looks like someone posted some misinformation (the sites that said it would be patched). I guess I will avoid using IE for a while. Don't use it much anyway.
     
  20. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    You can either use IE9 or spend 1min using the fix it tool.
     
Loading...
Thread Status:
Not open for further replies.