- Related Stories
-
Microsoft to slap patch on risky IE hole
April 6, 2006 -
Web developers get a respite on IE changes
March 29, 2006 -
Second unofficial fix plugs IE hole
March 28, 2006 -
Microsoft mulls rushing out IE patch
March 24, 2006 -
Another IE bug hits Microsoft
March 21, 2006 -
Microsoft updates IE after patent spat
February 28, 2006 -
Appeals court revisits Eolas decision
March 2, 2005
The Redmond, Wash., software giant sent out the IE megafix as part of its monthly Patch Tuesday cycle of bulletins. In addition, Microsoft delivered two bulletins for "critical" Windows flaws, one for an "important" vulnerability in Outlook Express and one for a "moderate" bug in a component of FrontPage and SharePoint.
"This patch release is a big one with lots of aftershocks," said Jonathan Bitle, a product manager at security company Qualys. "Three of the five updates, the IE and Windows updates, are especially critical as they take advantage of inexperienced users...Although a worm epidemic is unlikely, users can be easily enticed to visit malicious Web pages."
Eight of the 10 vulnerabilities repaired by the IE update could be abused to gain complete control over a Windows computer running vulnerable versions of the Web browser. In all instances, an attacker would have to create a malicious Web site and trick people into visiting that site to hook into a PC, Microsoft said in its Security Bulletin MS06-013.
Microsoft rates its browser update "critical" for IE 5 and IE 6, the most-used versions of the popular software. IE is vulnerable on all current versions of the Windows operating system--Windows 2000, Windows XP and Windows Server 2003--as well as on the older Windows 98 and Windows Millennium Edition, the company said.
"An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system," Microsoft said in its alert. "We recommend that customers apply the update immediately." Windows users who have automatic updates enabled for the operating system will have the fixes delivered to them.
Microsoft had been under pressure to rush the IE patch out before Tuesday because miscreants were already exploiting one of the flaws. Third parties had even provided temporary fixes for this "CreateTextRange" bug, which experts said was being used by malicious Web sites to try to drop code such as spyware on vulnerable PCs.
According to Microsoft's bulletin, three of the 10 vulnerabilities fixed by the update had been publicly disclosed. Only the CreateTextRange flaw was being exploited in attacks, the software maker said.
But Symantec has information that three of the flaws were already being exploited in attacks prior to Microsoft's patch release. More attacks are likely to follow, Oliver Friedrichs, a director at Symantec Security Response, said in a statement. "According to the latest Symantec Internet Security Threat Report, the average time between the release of a security patch and the development of an exploit is six days," he said.
Holes in Windows
In a double-whammy for Windows users, all versions of the operating system vulnerable to the IE problems are also affected by two other "critical" flaws, Microsoft said. These holes could also allow an intruder to commandeer a PC. One is related to a specific ActiveX control, a kind of Web program, (MS06-014), and the other deals with a bug in Windows Explorer (MS06-015).
In these cases also, an intruder would have to build a special Web page to take advantage of the security hole. Some of the vulnerabilities in Windows and IE could also be exploited using an HTML e-mail, which essentially is a Web page sent in an e-mail message.
Users of Outlook Express face an additional security risk, in that the e-mail application is flawed in the way it handles Windows Address Book files. Opening a specially crafted WAB file can result in execution of malicious code, giving an attacker control of the Windows PC, Microsoft said in Security Bulletin MS06-016.
The Windows bugs as well as the Outlook Express flaw were reported privately to Microsoft and have not been used in any attacks, the company said.
The last of the five security alerts issued by Microsoft, MS06-017, affects the lowest number of users and is deemed a "moderate" risk. The cross-site scripting flaw in FrontPage Web site building software and SharePoint collaboration software could lead to a system compromise, the company said.
Eolas tweaks
The IE update, in addition to security fixes, makes a change to the way IE handles ActiveX controls. These tweaks are a response to a long-running patent dispute between Microsoft and Eolas Technologies, a start-up backed by the University of California. The changes can affect how certain sites display in the browser.
People who need more time to adjust to the ActiveX changes can download a special patch that will disable them for two months. This "compatibility patch" is specifically designed for businesses that may have homegrown applications that use ActiveX, Microsoft has said.
See more CNET content tagged:
bulletin,
Microsoft Internet Explorer,
vulnerability,
Microsoft Windows ME,
cyberattack
However, Verclsid.exe appears to break some ************ in Windows explorer. This program does not run always, but when it is running you are unable to expand folders in the Windows explorer tree view. When you click on the plus sign next to a folder in the tree view; the busy cursor appears, but the folder never expands. However, if you kill the Verclsid.exe application with Task Manager, the folder(s) you've tried to expand will immediately do so the instant Verclsid.exe stops running. And when it is not running, Explorer expands folders normally.
1. I find no instance of Verclsid.exe in Task Manager. Not surprisingly, the address box in IE and Windows Exploder both work fine.
2. A Windows Search reveals four of the little rascals somewhere in the Windows folder, all dated 3/16/06. Looking at my Update History on the Windows Update site, I didn't update anything on 3/16. I updated four Windows Updates on 3/04 and the Malicious Software Removal Tool on 3/22.
3. Of the seven updates yesterday, none of them (nor the ones on 3/04) are MS06-015. In fact, going all the way back to last September, all of the updates start with "KB".
Thinking that maybe they changed their numbers when transferred to the History area, I first made an image file of my C Drive with TrueImage, then reinstalled an image file from a month ago, went back to the Windows Update site and all of the present updates start with "KB".
So it seems to me the question is, where did this "MS" update come from? And, since I don't have the Automatic Updates turned on, where did Verclsid.exe come from on 3/16?
And what makes this even more interesting is that I just now went over to Google and a search for "Verclsid.exe", then just "Verclsid", turned up exactly zero hits. This, all by itself, is extremely unusual. If this thing has been around since (at least) 3/16, surely someone would have written about it by now, and especially if it created problems.
Mystery of mysteries!
However, Verclsid.exe appears to break some ************ in Windows explorer. This program does not run always, but when it is running you are unable to expand folders in the Windows explorer tree view. When you click on the plus sign next to a folder in the tree view; the busy cursor appears, but the folder never expands. However, if you kill the Verclsid.exe application with Task Manager, the folder(s) you've tried to expand will immediately do so the instant Verclsid.exe stops running. And when it is not running, Explorer expands folders normally.
1. I find no instance of Verclsid.exe in Task Manager. Not surprisingly, the address box in IE and Windows Exploder both work fine.
2. A Windows Search reveals four of the little rascals somewhere in the Windows folder, all dated 3/16/06. Looking at my Update History on the Windows Update site, I didn't update anything on 3/16. I updated four Windows Updates on 3/04 and the Malicious Software Removal Tool on 3/22.
3. Of the seven updates yesterday, none of them (nor the ones on 3/04) are MS06-015. In fact, going all the way back to last September, all of the updates start with "KB".
Thinking that maybe they changed their numbers when transferred to the History area, I first made an image file of my C Drive with TrueImage, then reinstalled an image file from a month ago, went back to the Windows Update site and all of the present updates start with "KB".
So it seems to me the question is, where did this "MS" update come from? And, since I don't have the Automatic Updates turned on, where did Verclsid.exe come from on 3/16?
And what makes this even more interesting is that I just now went over to Google and a search for "Verclsid.exe", then just "Verclsid", turned up exactly zero hits. This, all by itself, is extremely unusual. If this thing has been around since (at least) 3/16, surely someone would have written about it by now, and especially if it created problems.
Mystery of mysteries!
Incorrect. MS06-014 relates to a MDAC flaw. MS06-013 deals with ActiveX controls among other items.
Incorrect. MS06-014 relates to a MDAC flaw. MS06-013 deals with ActiveX controls among other items.
being vulnerable merely because of its super market share. As if
quality systems and application design and architecture mean
nothing.
Come on, in this country of lawyers can't someone put together a
class action product liability suit to convince these guys to stop
putting out crap. Really, Bill said that "Security is MS's top priority"
years ago. OK, we're still waiting.
Wait, change that. Is, has, and will probably be after you for some time.
-----------
It's like blaming a company for a bulletproof vest that doesn't stop all bullets. Even if it's effective enough at the moment, very soon after said protection will be virtually gone.
Don't like Microsoft.. switch to MAC or Linux.. hey but if you actually track the bug patches that are released for the various forms of Linux you'd see a suprising amount of updates.. again not always as severe as MS's but then again most of the bugs patched here need to be exploited by sending someone to a webpage.. or receiving an HTMl email..
Simple fix.. use firefox or some other kind of browser.. and a different mail client..
so unless you can write a better OS.. STFU
"How long are we going to put up with this s**&"
Easy one, Phil.
How about, "When people stop being evil"? No evil hackers, no Windows security problems. A simple question, a simple answer.
Unfortunately, Phil, being a prime example of what's wrong with America today, then goes on to recommend a class action suit against Microsoft. If you don't like 'em, sue 'em!
Okay, Phil, let's say you get your wish. A major nationwide class action suit is filed against Microsoft by ten of thousands of people asking for untold billions of dollars and Microsoft is forced to close its Windows division. Obviously, they can't anticipate all of the clever, ingenious things the hackers are going to come up with over the next number of years, so they're left with no alternative but to quit selling Windows.
Ten years pass.
And there you are in the computer store, looking to buy some new software. There's the little section for the ABC Operating System. There's the little section for the XYZ Operating System. There's the little section for the Gloogleblaken Operating System.
Finally you find the little section of software for the Flapperjack Operating System that you're using.
Is this really the way you want it?
Back in the late 80's, I was fortunate enough to own an Amiga computer. A fabulous machine that could do things that no Mac, Wintel or Linux machine can do to this day.
The only problem?
I'd walk into Fry's Electronics, and here would be this tiny little section of Amiga software. Next to it, there would be aisles and aisles and aisles of Windows software.
The small choice of software I had really sucked.
Maybe it's just me, but I'd just as soon not go through that again. It's part of the American ethos to knock the Big Guy and support the underdog, but sometimes that attitude is just flat-out stupid.
being vulnerable merely because of its super market share. As if
quality systems and application design and architecture mean
nothing.
Come on, in this country of lawyers can't someone put together a
class action product liability suit to convince these guys to stop
putting out crap. Really, Bill said that "Security is MS's top priority"
years ago. OK, we're still waiting.
Wait, change that. Is, has, and will probably be after you for some time.
-----------
It's like blaming a company for a bulletproof vest that doesn't stop all bullets. Even if it's effective enough at the moment, very soon after said protection will be virtually gone.
Don't like Microsoft.. switch to MAC or Linux.. hey but if you actually track the bug patches that are released for the various forms of Linux you'd see a suprising amount of updates.. again not always as severe as MS's but then again most of the bugs patched here need to be exploited by sending someone to a webpage.. or receiving an HTMl email..
Simple fix.. use firefox or some other kind of browser.. and a different mail client..
so unless you can write a better OS.. STFU
"How long are we going to put up with this s**&"
Easy one, Phil.
How about, "When people stop being evil"? No evil hackers, no Windows security problems. A simple question, a simple answer.
Unfortunately, Phil, being a prime example of what's wrong with America today, then goes on to recommend a class action suit against Microsoft. If you don't like 'em, sue 'em!
Okay, Phil, let's say you get your wish. A major nationwide class action suit is filed against Microsoft by ten of thousands of people asking for untold billions of dollars and Microsoft is forced to close its Windows division. Obviously, they can't anticipate all of the clever, ingenious things the hackers are going to come up with over the next number of years, so they're left with no alternative but to quit selling Windows.
Ten years pass.
And there you are in the computer store, looking to buy some new software. There's the little section for the ABC Operating System. There's the little section for the XYZ Operating System. There's the little section for the Gloogleblaken Operating System.
Finally you find the little section of software for the Flapperjack Operating System that you're using.
Is this really the way you want it?
Back in the late 80's, I was fortunate enough to own an Amiga computer. A fabulous machine that could do things that no Mac, Wintel or Linux machine can do to this day.
The only problem?
I'd walk into Fry's Electronics, and here would be this tiny little section of Amiga software. Next to it, there would be aisles and aisles and aisles of Windows software.
The small choice of software I had really sucked.
Maybe it's just me, but I'd just as soon not go through that again. It's part of the American ethos to knock the Big Guy and support the underdog, but sometimes that attitude is just flat-out stupid.
However, I find it very funny how the biggest thing affected is Macromedia Flash and Shockwave; considering MS is suppose to release a similar product this year.
Also, this fix is very easily bypassed via a code change, so I am not sure what MS is protecting us from. More likely they just want to frustrate everyone that goes to Flash webpages. Kinda of stupid to release a "security patch" that can be by passed by adding 5-10 extra lines of code on a page.
However, I find it very funny how the biggest thing affected is Macromedia Flash and Shockwave; considering MS is suppose to release a similar product this year.
Also, this fix is very easily bypassed via a code change, so I am not sure what MS is protecting us from. More likely they just want to frustrate everyone that goes to Flash webpages. Kinda of stupid to release a "security patch" that can be by passed by adding 5-10 extra lines of code on a page.
damn... if you're still using IE, you need more then to download a patch to fix your problems.
Of course, if you are still using Windows then you still need the patch for those applications that ignore your default browser settings and lanuch IE anyway, or use the MS HTML object directly.
"Are you seriously telling me that there are still people out there who aren't using Firefox???"
I webmaster a fairly popular site for a local radio station, and, according to the stats, a whopping 7.3% are using Firefox. So, when you say "Who Cares", what you're really saying is that you don't care about 90% of the population.
So, the question is, is that the kind of person you really want to be? And, if so, would you prefer the term "smug" or "cultist" to describe yourself?
How about both? :)
damn... if you're still using IE, you need more then to download a patch to fix your problems.
Of course, if you are still using Windows then you still need the patch for those applications that ignore your default browser settings and lanuch IE anyway, or use the MS HTML object directly.
"Are you seriously telling me that there are still people out there who aren't using Firefox???"
I webmaster a fairly popular site for a local radio station, and, according to the stats, a whopping 7.3% are using Firefox. So, when you say "Who Cares", what you're really saying is that you don't care about 90% of the population.
So, the question is, is that the kind of person you really want to be? And, if so, would you prefer the term "smug" or "cultist" to describe yourself?
How about both? :)
IE - Internet Options - Security - Restricted sites - Sites...
If something is running in your Start Up, Scotty the Dog will take the bite out of it! Get WinPatrol at http://www.winpatrol.com/
IE - Internet Options - Security - Restricted sites - Sites...
If something is running in your Start Up, Scotty the Dog will take the bite out of it! Get WinPatrol at http://www.winpatrol.com/
This is just all so much nonsense, this monthly Windows patch circus. I would recommend to anyone who doesn't already have a computer that they buy a Mac and don't ever go near a Microsoft product. There is no way my 77 year old father could ever begin to deal with all this MS crap on his own.
This is just all so much nonsense, this monthly Windows patch circus. I would recommend to anyone who doesn't already have a computer that they buy a Mac and don't ever go near a Microsoft product. There is no way my 77 year old father could ever begin to deal with all this MS crap on his own.
At this point, if you don't have FF, you need to not only download FF, download Spybot Search and Destroy, Ad-Aware. It's hard to keep up with all the IE updates.
Friends don't let friends use Internet Explorer
(also known as Insecure Exploder
At the time, the "out of the box" version of Firefox was severely lacking in the features I'm looking for. Yes, I know it's possible to add things onto it... but I'm lazy. I use Avant browser (an IE shell) because it has all the features I want (and then some) built right into it.
If the day should ever come when Firefox doesn't need add-ons in order to be "feature packed," I may try it again.
I use IE everyday. I have not had any issues so far. I use it to visit some very well known sites all the time.
(I don't dislike IE, I just love tabs. When IE 7 is finished I will might use that instead.)
At this point, if you don't have FF, you need to not only download FF, download Spybot Search and Destroy, Ad-Aware. It's hard to keep up with all the IE updates.
Friends don't let friends use Internet Explorer
(also known as Insecure Exploder
At the time, the "out of the box" version of Firefox was severely lacking in the features I'm looking for. Yes, I know it's possible to add things onto it... but I'm lazy. I use Avant browser (an IE shell) because it has all the features I want (and then some) built right into it.
If the day should ever come when Firefox doesn't need add-ons in order to be "feature packed," I may try it again.
I use IE everyday. I have not had any issues so far. I use it to visit some very well known sites all the time.
(I don't dislike IE, I just love tabs. When IE 7 is finished I will might use that instead.)