7 responses to “Two more IE patches released: stick with Firefox, please”

1. 

   Liz July 29th, 2009 at 17:10

   Hello
   Regarding these two patches.. I have a KB973346 which is an ‘Update for IE 8 Compatability View List for Windows Vista’ which came through on 14/7, and a whopping great 8MB KB972260 Cumulative Security Update for Windows Vista which came through just yesterday.
   Would these be the updates you are writing about?

2. 

   rc primak July 30th, 2009 at 04:53

   Liz –

   Read the SANS link in this posting. It gives oone KB Number and three MS09-xxx Numbers for the patches we are talking about here. The SANS report is one page and reads like plain English.

3. 

   rc primak July 30th, 2009 at 04:54

   P>S> Liz –

   Neither of the two KB Numbers you are asking about appears in the SANS Report.

4. 

   rc primak July 30th, 2009 at 05:05

   On a more general note, the ATL flaw is a typo in an Active X Control, according to a News Report at Infoworld.com. One extra “&” in the code. But a lot of software developers have used this flawed code, and Microsoft is not sure just how many products from Microsoft and other vendors may be affected. I guess we will just have to wait and see who patches what and how soon.

5. 

   Liz July 31st, 2009 at 04:24

   Hi rc primak
   I read the SANS link and installed the updates.
   They seem to have gone without a hitch.
   Thanks for your help!
   

6. 

   EP July 31st, 2009 at 22:15

   Using Firefox instead of IE is only part of the solution, Woody. They must also install the latest update to Adobe Flash Player as mentioned on Adobe Security Advisory APSA09-04.

   Woody, Liz and RC Primak: I would also recommend reading that Adobe security bulletin APSA09-04 and follow the instructions there.

7. 

   rc primak August 4th, 2009 at 21:56

   Thanks, EP.

   But Secunia PSI still reports that the latest Adobe Flash Player updater, outsourced from NOS Systems, is highly insecure (when used from IE, as it is an Active-X Control which sends the updates directly to the Windows Desktop, a known vector for malicious codes and scripts). So use Firefox when updating Flash Player or Shockwave.

   Also listed as insecure is Java Runtime (JRE). The best workaround here is to have anti-spyware with active browser shields, a good two-way firewall, and use Firefox with the NoScript add-on. Consider also the FF NoFlash add-on, and Better Privacy (to clear out so-called “flash cookies”, or Flash LSOs).