Two more IE patches released: stick with Firefox, please

Topic

New Reply

As I anticipated a few days ago, Microsoft has just released two Out of band patches and one security advisory for Internet Explorer. If you are runni
[See the full post at: Two more IE patches released: stick with Firefox, please]

Reply | Quote

Replies

Hello
Regarding these two patches.. I have a KB973346 which is an ‘Update for IE 8 Compatability View List for Windows Vista’ which came through on 14/7, and a whopping great 8MB KB972260 Cumulative Security Update for Windows Vista which came through just yesterday.
Would these be the updates you are writing about?

Reply | Quote

Liz —

Read the SANS link in this posting. It gives oone KB Number and three MS09-xxx Numbers for the patches we are talking about here. The SANS report is one page and reads like plain English.

Reply | Quote

P>S> Liz —

Neither of the two KB Numbers you are asking about appears in the SANS Report.

Reply | Quote

On a more general note, the ATL flaw is a typo in an Active X Control, according to a News Report at Infoworld.com. One extra “&” in the code. But a lot of software developers have used this flawed code, and Microsoft is not sure just how many products from Microsoft and other vendors may be affected. I guess we will just have to wait and see who patches what and how soon.

Reply | Quote

Hi rc primak
I read the SANS link and installed the updates.
They seem to have gone without a hitch.
Thanks for your help!

Reply | Quote

Using Firefox instead of IE is only part of the solution, Woody. They must also install the latest update to Adobe Flash Player as mentioned on Adobe Security Advisory APSA09-04.

Woody, Liz and RC Primak: I would also recommend reading that Adobe security bulletin APSA09-04 and follow the instructions there.

Reply | Quote

Thanks, EP.

But Secunia PSI still reports that the latest Adobe Flash Player updater, outsourced from NOS Systems, is highly insecure (when used from IE, as it is an Active-X Control which sends the updates directly to the Windows Desktop, a known vector for malicious codes and scripts). So use Firefox when updating Flash Player or Shockwave.

Also listed as insecure is Java Runtime (JRE). The best workaround here is to have anti-spyware with active browser shields, a good two-way firewall, and use Firefox with the NoScript add-on. Consider also the FF NoFlash add-on, and Better Privacy (to clear out so-called “flash cookies”, or Flash LSOs).

Reply | Quote