Previous Posts

 Microsoft starts virtual hard drive program

Microsoft has confirmed Nov 30th release for Offic...

Microsoft Delays IE 7 Automatic push for Japan

Mac version of VMWare begins beta program

Microsoft Vista party dates released

Clearcut breakdown of Windows Vista Versions

Vista given a release date

How to change the Remote Desktop Listening Port

Windows Vista License limits benchmarks

Apple releases new version of boot camp



Archives

May 2005

January 2006

April 2006

May 2006

June 2006

July 2006

September 2006

October 2006

November 2006

December 2006

January 2007

February 2007

March 2007

April 2007

May 2007

June 2007

July 2007

August 2007

September 2007

October 2007

November 2007

December 2007

January 2008

February 2008

March 2008

April 2008

May 2008

June 2008

July 2008

August 2008

September 2008

October 2008

November 2008



Subscribe to our Feed:

XML flaw for IE still goes unpatched

If you like this article, then sign up for our email newsletter to get more like it every day in your inbox

A serious flaw in the ActiveX XMLHTTP component within IE is still active, and without a patch from Microsoft. This includes the latest from Microsoft, IE 7.

Microsoft released an advisory on Friday From the website, here are some of the mitigating factors:

-• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

- An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

- The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.

- By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.

- By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default.

Notice that one of these factors is to run as a restricted user. A good reason to run IE using our free reduced permissions tool at all times. I can't imagine how many flaws there are that Microsoft, and the anti-virus companies are not aware of. Running with reduced permissions decreases your risk significantly.


Posted By: Steve Wiseman on Tuesday, November 07, 2006

Check out our utilities for windows

 
Home|Downloads|Products|Blog
Copyright © IntelliAdmin, LLC, 2008. All Rights Reserved
Privacy Policy