[24929] in bugtraq
RE: MS 3/28/02 Security Patch for IE6 - warning!
daemon@ATHENA.MIT.EDU (Eric)
Wed Apr 3 12:23:37 2002
Message-Id: <5.1.0.14.0.20020402221228.02164c88@mail.tellurian.net>
Date: Tue, 02 Apr 2002 22:14:23 -0800
To: Thor Larholm <Thor@jubii.dk>, "'Phil Dibowitz'" <webmaster@ipom.com>,
bugtraq@securityfocus.com
From: Eric <ews@tellurian.net>
In-Reply-To: <52D05AEFB0D95C4BAD179A054A54CDEB1BD263@mailsrv1.jubii.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Theregister was running the script locally - in the myComputer zone. If
you host the malicious html on a webpage, etc. then the patch does indeed
prevent the execution of code.
At 12:51 AM 4/3/2002 +0200, Thor Larholm wrote:
>Further, the patch doesn't seem to work completely:
>
>http://www.theregister.co.uk/content/4/24667.html
>
>Though, in other cases, it works better than expected:
>
>http://jscript.dk/unpatched/N280302-01.html
>
>A revision of the patch may be in place.
>
>Regards
>Thor Larholm
>Jubii A/S - Internet Programmer
>
>-----Original Message-----
>From: Phil Dibowitz [mailto:webmaster@ipom.com]
>Sent: 2. april 2002 20:44
>To: bugtraq@securityfocus.com
>Subject: MS 3/28/02 Security Patch for IE6 - warning!
>
>
>BugTraq'ers,
>
>I usually consider this list a bit over my head, and don't post, just read.
>I'm
>not totally sure this is on-topic, but I think it is. =)
>
>The MS Security Patch for IE6:
>
>----------------
>Security Update, March 28, 2002 (Internet Explorer 6)
>2456 KB/ Download Time: < 1 min The "28 March 2002 Cumulative Patch for
>Internet
>Explorer" update eliminates all previously addressed security
>vulnerabilities
>affecting Internet Explorer 6, as well as two new vulnerabilities, and is
>discussed in Microsoft Security Bulletin MS02-015. Download now to protect
>your
>computer from these vulnerabilities, the most serious of which could allow a
>
>malicious user to run code on your computer.
>----------------
>(That's directly from the MS Windows Update Site)
>
>Seems to be pretty buggy. It trashed a Win2K machine of mine yesterday.
>After
>installing, I rebooted and shortly after lost my network connection... then
>I
>was unable to get into 'Network and Dialup Connections' or 'Add/Remove
>programs.' I tried recovery from 'Safe Mode' and 'Last known good
>configuration'
>options at boot, but I had the same problems in both modes. Doing a
>'recovery'
>from CD didn't fix it either. As a last resort I chose to do an 'upgrade'
>from
>CD which downgraded IE6 to IE5 fixing the problem. I was then able to patch
>up
>to the latest IE MINUS that patch.
>
>A friend mine also had a very similar experience with the patch. I'm curious
>to
>know if others have the same problem, and I also wanted to warn people.
>
>Phil
>--
>Insanity Palace of Metallica
>http://www.ipom.com
>webmaster@ipom.com
>--
