MS-DEFCON 2: Get locked down, and get IE upgraded ASAP!Posted on January 9th, 2013 at 10:23 2 comments
Microsoft released seven security bulletins earlier today. As usual, SANS Internet Storm Center has the overview I rely on the most.
SANS only identifies one of the patches, MS13-002/KB 2756145, as being “critical” for regular Windows users – but I note with some distress that Microsoft has already changed the KB article for the patch. SANS says there are no known exploits, so I’m recommending that you avoid this and all the other patches for now.
Make sure you have Windows Automatic Update turned off. Details are on the tab above marked Automatic Update.
Far, far more important is that you get rid of Internet Explorer 8, 7, or 6. Either upgrade to IE 9 (which isn’t an option if you use Windows XP), or switch to Firefox or Chrome. As I explained a few days ago, Microsoft has a Fixit for the security hole in IE 6, 7, or 8. Unfortunately, the Fixit has already been cracked.
If you absolutely must use IE 6, 7, or 8, go ahead and apply the Fixit. But realize there’s a chance you can get hacked in a drive-by attack, where your machine gets taken when you just look at an infected web page. You don’t have to do a bloody thing.
I’m moving us up to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.
2 responses to “MS-DEFCON 2: Get locked down, and get IE upgraded ASAP!”
rc primak January 15th, 2013 at 04:01
For Windows XP, even if you use Firefox or Chrome, IE 8 would still need the Fixit. It’s still necessary to protect IE even when your browser is third-party. Programs may update using calls to IE, and there are other times when programs open windows which are IE windows even thought they don’t look like IE.
Users will in fact stay safer by using a third-party browser from now until Windows XP finally bites the dust. That’s about one year and four months from now, folks!
IE8 users don’t need the Fixit solution anymore, rc primak. Microsoft has recently released new IE security updates (MS13-008), including ones for IE8 that supersede/replace the Fixit solutions from MS KB article 2794220.
Leave a reply