RSSIE Flaws Focus of April Patch Tuesday
By Ed Oswald | Published April 11, 2006, 4:15 PM
Microsoft's Internet Explorer browser was the focus of a majority of the fixes in Tuesday's monthly security update from the Redmond company. Altogether, five updates were issued, including three "critical," one "moderate," and another rated "important."
The Internet Explorer update was issued as a cumulative fix addressing ten vulnerabilities within the browser. The patch includes a fix for the much-publicized "createTextRange()" flaw, as well as fixes for HTML parsing errors, script executions, and address bar spoofing issues among others. All the flaws could result in a remote code execution risk, Microsoft said.
Separate of the Microsoft announcement, security firm eEye Digital Security said Tuesday that its temporary fix for the createTextRange() issue was downloaded by 156,000 customers in nearly two weeks.
While Microsoft frowns on the practice of applying third-party patches, the firm released data that indicated 98 percent of IT professionals would deploy a third-party patch if the vulnerability was severe enough.
"This vulnerability needed to be dealt with immediately, and so our research team quickly developed and tested a patch that specifically addressed the issue without creating a loss of functionality," eEye co-founder Marc Maiffret argued.
The update for Internet Explorer is intended for all versions of the operating system according to the advisory. Additionally, it includes a modification to the way ActiveX controls are rendered in the browser to address a possible patent infringement issue.
Other critical updates include a patch for a flaw in the execution of the RDS.Dataspace ActiveX control, and for a vulnerability in Windows Explorer's handling of COM objects. By visiting a specially designed Web site, attackers could make Explorer fail. This could open a hole to allow code execution, says Microsoft. As with the other critical flaws, all versions of Windows are affected.
Additionally, an "important" update was issued that addresses issues with how Outlook Express 5.5 and 6 handle Windows Address Book, or .wab, files. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in its advisory.
Finally, an important update was issued for FrontPage Server Extensions. A flaw within the technology could allow for cross-site scripting, the company said. However, user interaction is needed to exploit the problem. "The script could spoof content, disclose information, or take any action that the user could take on the affected web site," Microsoft warned.
Beyond the patches, an update was issued Tuesday for the Malicious Software Removal Tool that would detect the Win32/Locksky, Win32/Valla and Win32/Reatle viruses.
Unfortunately; the update for the address book, quite simply, breaks it and it is a file related problem. Restoring my registry to the day before the update still left Windows XP (SP2 with all previous updates) unable to open any WAB file. A system restore to before the patch fixed it; but, silly me, I had to go and let it install again, today.
Another side effect is that it also broke Roxio's Easy CD Creator Platinum, version 6.
Thanks, Bill!
Score: 0
|You know... I've tested this on a lot of different sites now, and I fail to see what the fuss is about.
The original 912945 broke a lot of systems due to faulty registration of mshtml.dll (oops), but the April Cumulative Update seems to be operating perfectly fine.
On all the sites I've gone to with Flash, Shockwave, and other ActiveX and Java controls, I have had no issues at all. Oh boo hoo about a "click".
Seems like something for people to whine about is all.
Score: 0
|GoodThings2Life
Making sites user friendly and simple for ANY user should be the aim of all web developer's - thanks to this BS, any kind of interactive content within a flash file (that's EVERY flash file - if you're trying to keep .swf's small, that could run into quite a few) must be "clicked" first to activate (for example mouseovers). The issue is not with the fix to mshtml.dll registration, it's the added hassle put on users (and developers) for nothing.
Score: 0
|BTW for those on win9x: the fix, as well as previous fixes, BREAKS Windows HTML Help Troubleshooting Guide. Go here to fix: http://www.msfn.org/board/?showtopic=46581
Courtesy of http://www.MDGX.com
Score: 0
|135 days on average for MS to fix security faults in IE. 21 or 27 (can't remember which one) days on average for Mozilla to fix security faults in its' browsers. The solutions is simple, don't use IE for anything other than Windows Update. Use Firefox for everything else (You can now even open up IE within a Firefox Tab, see http://ietab.mozdev.org/ for details).
Score: 0
|Uh...so...the big question here is, should we uninstall the eEye Zero-Day patch (now apparently called createTextRange() patch). I checked, and, although your website says "eEye has engineered the patch to automatically remove itself when Microsoft’s official patch comes through", this did not happen. So, what's..uh..the deal? http://www.peeniewallie....04/eeye_screws_the.html
Score: 0
|Yeah, I'd say it's alright to remove it or simply not install it.
FYI, Security is important to me, most certainly, but I would NEVER use a 3rd party patch for security issue. It is better to use alternative workarounds.
Score: 0
|912945 is EVIL. You can get rid of it...
http://cityofrain.com/?p=567
Score: 0
|It's not evil if you never use IE. :)
I rolled it out at my workplace with an explanation. perhaps people will vote for patent reform?
Score: 0
|mjm, that may be true, but I have to write to the 90% crowd. :(
Score: 0
|I installed Microsoft's 912945 patch on Windows XP x64 Edition and as it turns out, ActiveX controls like Macromedia Shockwave Flash are apparently incompatible with the patch. Websites that use Flash show placeholders with a red "X" in place of the Flash content after I click on "Install" when prompted to install Flash. I am logged in as Administrator when this happens.
Score: 0
|The initial release of 912945 was indeed crappy and EVIL.
However, the new release as part of April's updates has yet to cause me any grief. :)
Just an FYI.
Score: 0
|Well this certainly screws over anyone using OBJECT or EMBED tags on their pages. Flash needs an extra CLICK to activate the content. Microsoft is making it easier and easier to switch to Firefox.
Score: 0
|The Flash thing is due to a lawsuit.
Score: 0
|And lawsuit is due to a broken patent system.
Broken Patent System is due to corporate dominance.
corporate dominance is due to a lack of morals in white christian leadership.
Should I go on?
Score: 0
|It's amazing how you blame a Microsoft patent lawsuit indirectly on Christianity. That's just ignorant.
Score: 0
|It's amazing peeople can't take a joke. I thought it was obvious, but whatever.
Score: 0
|You didn't use a smiley, so no, it wasn't ;)
Score: 0
|In other words those stupid flash ads won't be in my face from now on unless I click and allow them? Hurray! As far as flash stuff I want to see I don't mind clicking if it means not having all the other annoying trash all over the page.
Score: 0
|"Men never do evil so completely and cheerfully as when they do it for a religious conviction."
Score: 0
|For real, B. I use NoScript and GreaseMonkey on Firefox for the exact same reason.
Score: 0
|I think that's a pretty flame-bait worthy response.
I agree only on the point of a broken patent system, but I think you're drawing ignorant assumptions on the rest.
Score: 0
|Sorry Banquo - you're not off the hook - it only disables "interactive" content .. the flash file itself will still load.
Score: 0
|If the vuln was severe enough, I think I'd just shut down http for my company, update IDS defs or whatever method was nessesary. Almost always there is a solution that can avoid the clients.
Score: 0
|