[13900] in bugtraq
patching IE  (Re: Microsoft Security Bulletin (MS00-009))
daemon@ATHENA.MIT.EDU (John Robert LoVerso)
Thu Feb 17 22:31:18 2000
Message-Id:  <200002171549.KAA78875@h201.infolibria.com>
Date:         Thu, 17 Feb 2000 10:49:09 -0500
Reply-To: John Robert LoVerso <john@LOVERSO.SOUTHBOROUGH.MA.US>
From: John Robert LoVerso <john@LOVERSO.SOUTHBOROUGH.MA.US>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Microsoft Security Bulletin (MS00-009)
> Patch Available for "Image Source Redirect" Vulnerability
> Originally Posted: February 16, 2000
Given the large number of JavaScript-related security issues regarding the
various versions of IE (4.0, 4.01, 4.01 SP1, 4.01 SP2, 5.0, 5.01), I'm
surprised that no one has mentioned the fact that Microsoft has made it nearly
impossible to secure IE.  Why?  Because fixes aren't quickly wrapped back into
the distribution, nor is there a fast path to getting all the appropriate fixes
installed.
Download and install the latest release of IE (5.01).  Are you safe?  No.  You
first need several crucial scripting patches.  After all, JavaScript defaults
to "on" and IE defaults to scripting bugs.
But, which patches?  Click on "Tools->Windows Update"?  That doesn't show the
latest updates.  Somehow know to go to the IE security page at
http://www.microsoft.com/windows/ie/security/default.asp?  Except, that doesn't
make it clear _which_ patches you need.  You have to individually go to each
link; some will tell you if they apply, others will just let you download the
patch.
Given the ongoing nature of scripting problems, Microsoft should consider
issuing a single, all inclusive, security patch.  Each time a new fix comes
available, update it.
John