This was rejected on Slashdot...

[Donkey Punch]

... so might as well post it here.

According to an article by Secunia , there are three bugs in IE even after SP2.

1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.

2) A security site / zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents or inject arbitrary script code in context of a previous loaded document using a malicious javascript URI handler.

Successful exploitation may allow execution of arbitrary HTML and script code in a user's browser session in context of arbitrary sites, or execution of local programs with parameters from the "Local Computer" zone using a HTML Help shortcut.

3) A security site / zone restriction error in the handling of the "Related Topics" command in an embedded HTML Help control can be exploited by e.g. a malicious website to execute arbitrary script code in the context of arbitrary sites or zones.

Secunia has an online test to see if you are vulnerable. As of the article, there is no official patch available, and interestingly enough, advise users to switch browsers.

[zencoder]

No doubt it was rejected. They are pretty much done with announcements, unless it is "Bill Gates crowned King of the Universe, Mass Riots Ensue." :P

No offense to /. but I burned out on their tripe years ago. The discussions just don't do it for me there.

[Donkey Punch]

No doubt it was rejected. They are pretty much done with announcements, unless it is "Bill Gates crowned King of the Universe, Mass Riots Ensue." :P

No offense to /. but I burned out on their tripe years ago. The discussions just don't do it for me there.

I am noticing that very quickly, but I thought it would be important for people to know, but then again, anybody can use Google news. From now on, I'll just keep the articles to myself or post it on ALS. hehe

[zencoder]

LMAO! And right here on the AO main page....at the top of EIT Planet's Security News:

IE6 Vulnerability Goes Critical

Some days it just isn't even worth gnawing through the leather straps, ya know?

[Tiger Shark]

The problem is also avoided by disabling the "Drag and drop or copy and paste files" option in Internet Explorer (Tools > Internet Options > Security > Custom Level) or to alternately set the Internet zone security level to "high".

*Cough* My Group Policy has enforced that for almost a year... OK, it's Custom, rather than high, but it mitigates the issue.....

This stuff isn't rocket science you know.....

[zencoder]

Originally posted here by Tiger Shark
This stuff isn't rocket science you know...

Unfortunately, for some people it *is*...or may as well be.

<phb>
What do you mean we are vulnerable?
Don't we pay for a firewall, intrusion detection monitoring, and anti-virus software?
How can we still be vulnerable?
Can't you do your job?
</phb>

Sorry, had to get it out. Thank god for the fox. Get firefox!

[Donkey Punch]

*Cough* My Group Policy has enforced that for almost a year... OK, it's Custom, rather than high, but it mitigates the issue.....

This stuff isn't rocket science you know.....

Not everybody is a rocket scientist, and MS is slow for patches to resolve the issue. No big deal. Like I said, it's best to keep this stuff to myself.

[Juridian]

slashdot sucks.

[Tiger Shark]

Donkey: That wasn't aimed at you personally..... Don't take it that way.....

You say M$ is "slow".... Hmmm... I bet you were one of those that complained that M$ provided a patch every three days too.... They can't win..... No problem.... I'm an M$ guy.... I seem to know my OS well enough to use what is _already_ built into it to mitigate the threats prior to having to download a patch....

Don't keep this stuff to yourself..... It's exactly people like you pushing this stuff "up front" that allows me to see the threat and mitigate against it....

Wanna make a deal? You keep putting up the M$ threat and I'll tell you how to mitigate or detect.... Fair?

Zencoder:

Sorry, had to get it out. Thank god for the fox. Get firefox!

I use firefox myself, (using it now), but it has some limitations that either my users can't live with or that "cost" me too much in help desk. As the admin I _should_ understand my system sufficiently to be able to mitigate the threat... OK, ok, I know that's "unusual".... maybe I'm a freak... But this stuff is all doable..... It just takes the time to study the exploit and study the network to come up with a mitigation..... OK, sometimes that means closing a service or limiting it.... But the mitigation is _always_ there.... The challenge is finding it....

[Donkey Punch]

Wanna make a deal? You keep putting up the M$ threat and I'll tell you how to mitigate or detect.... Fair?

Do what you want.